tag:blogger.com,1999:blog-56970568671774706312024-03-13T02:20:51.538-07:00Infrastructure Security BlogThis Blog includes thought leadership, news and pointers to helpful resources related to the rapidly evolving world of global infrastructure security, including physical and cyber concerns ### --- ###
These comments and opinions are my own and do not reflect those of my employer or others unless noted.Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comBlogger89125tag:blogger.com,1999:blog-5697056867177470631.post-67771558737729099252017-11-11T10:17:00.001-08:002017-11-12T16:11:46.921-08:00Report from SecureWorld Seattle - Being an Effective CISO Speech<div dir="ltr" style="text-align: left;" trbidi="on">
This past week I attended the Seattle edition of <a href="https://events.secureworldexpo.com/details/seattle-wa-2017/">SecureWorld</a>. The first keynote speaker was Mr. Demetrios Lazarikos (aka Laz) (laz@blue-lava.net) and his talk really hit home to me as a security practitioner and former CISO. He offered some excellent advice regarding the characteristics of a cybersecurity leader, where they should report in the organizational structure, and offered some succinct recommendations to be considered.<br />
<br />
So, this is a trip report of sorts but I also thought his comments were "dead on" and I heartily endorse his opinions.<br />
<h3 style="text-align: left;">
Characteristics of Today's Cyber Leader</h3>
<div>
His key points about today's successful cybersecurity leader included:</div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li>Curious and a life-learner</li>
<li>Critical thinker</li>
<li>Patient and able to influence</li>
<li>Understand the value of the cybersecurity program</li>
<li>Understand and can articulate the risks to revenue and sales enablement (It's the Money!)</li>
<li>Works closely with IT audit and regulators</li>
<li>Is in it for the PASSION</li>
<li>Never lets a cybersecurity opportunity go to waste -- EVER!</li>
<li>Tries to remain vendor agnostic</li>
</ul>
<h3 style="text-align: left;">
Organizational Reporting</h3>
</div>
<div>
Laz explicitly said the "CISO NEEDS TO REPORT TO THE CEO!"</div>
<div>
<br /></div>
<div>
I heartily agree! The CISO is a very, very key cog in the gears of the organization and without an unencumbered communication to the chief decision-maker, the CISO's hands are tied (which I know from experience).</div>
<h3 style="text-align: left;">
Talking to the Board of Directors</h3>
<div>
Laz again offered some terrific advice on ways to report and communicate to the Board of Directors. Because you usually only have 10-15 minutes for your discussion, his suggestions included:</div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li>Ensure the reports are in terms THEY understand. Not technical gobbly-gook.</li>
<li>Be streamlined</li>
<li>Quantify risk and loss exposure in dollars - not bits/bytes</li>
<li>Provide specific recommendations for moving ahead and protecting the enterprise</li>
<li>Emphasize the risk to revenue and risk to the brand -- not what the best firewall is</li>
</ul>
<h3 style="text-align: left;">
Recommendations</h3>
</div>
<div>
In closing, Laz offered some terrific recommendations for consideration by current and future CISOs:</div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li>Incorporate cybersecurity in all areas of your business -- from the individual employee to the CEO; from the mundane janitorial services to the strategic planning</li>
<li>Be an enabler -- always consider risk to revenue and sales enablement</li>
<li>Meet and know the CEO --- don't meet them for the first time during a data breach</li>
<li>Understand and report to the business in "business terminology"</li>
<li>Collaborate, Collaborate, Collaborate!</li>
</ul>
</div>
Overall, Laz's speech was one I could understand and equate to due to my time in the trenches and my own experience. Thanks to SecureWorld for inviting Laz to speak! <br />
<ul style="text-align: left;" type="disc"><ul type="circle">
</ul>
</ul>
<div>
<br /></div>
<div style="text-align: center;">
### ###</div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-63501172528935209352017-11-07T20:42:00.000-08:002017-11-07T20:42:21.837-08:00Resources to Learn About ICS Security<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">I had an interesting conversation with a colleague yesterday. He called to ask for some advice on ways to advance his career in the industrial controls security space. He held a Certified Information Systems Security Professional (CISSP) certificate and a Masters in Information Security. However, he was frustrated on determining ways to move ahead in ICS security.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">As I considered his questions I realized that a person who can advance in the areas of industrial controls security is someone with factory or process plant experience, and understanding of basic controls theory, and a solid understanding of factory/process plant operations and maintenance. These are very fundamental to one understanding the causes and effects of ICS security.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>CLASSROOM / ONLINE TRAINING</b></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Besides the “floor” experience, an individual interested in ICS security probably needs some formal training on the key aspects of ICS security you don’t learn when studying for your CISSP. My recommendations include:<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="line-height: 107%;"><span style="font-family: Arial, Helvetica, sans-serif;"><b>ICS-CERT </b><span style="color: #333333;"><b>Cyber Security Industrial Control Systems (210W):</b> This
is a free course available on the <a href="https://ics-cert-training.inl.gov/">ICS-CERT Virtual Learning Portal</a>. The training is all self-paced and requires
between 10 to 15 hours to complete. It
is a great way to begin your ICS security knowledge journey.</span></span></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="height: 0px; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #333333; font-weight: normal;">·<span style="font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span></span><!--[endif]-->ICS-CERT<span style="font-weight: normal;"> </span><span style="color: #333333;">Cyber Security Industrial Control Systems (210W): </span><span style="color: #333333; font-weight: normal;">This is a free course available on the <a href="https://ics-cert-training.inl.gov/"><b>ICS-CERT Virtual Learning Portal</b></a>. The training is all self-paced and requires between 10 to 15 hours to complete. It is a great way to begin your ICS security knowledge journey.<br />
<!--[if !supportLineBreakNewLine]--><br />
<!--[endif]--></span><span style="color: #333333; font-weight: normal;"><br /></span><span style="background: white; color: #292929; line-height: 107%;"><br /></span><span style="color: #333333;"><br /></span></span></div>
<h2 style="background: white; margin: 0in 0in 0.0001pt 0.5in; text-align: left; text-indent: -0.25in; vertical-align: baseline;">
<span style="color: #333333;"><span style="font-family: Arial, Helvetica, sans-serif; font-size: small;"><o:p></o:p></span></span></h2>
<div class="MsoListParagraphCxSpFirst" style="text-align: left; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Arial, Helvetica, sans-serif;">·<span style="font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span><b><a href="https://www.sans.org/course/ics-scada-cyber-security-essentials">SANS <span style="background: white; line-height: 107%;">ICS 410: ICS/SCADA Security Essentials</span></a></b><span style="background: white; color: #292929; line-height: 107%;"><b>:</b> If you take the course, you’ll essentially have the necessary training to pass the SANS GICSP – Global Industrial Cyber Security Professional certification. The details on the 5-day class are located <a href="https://www.sans.org/course/ics-scada-cyber-security-essentials">here</a>. Of note, you don’t need to take the course but can instead pay to take the test.<br />
<!--[if !supportLineBreakNewLine]--></span><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="text-align: left; text-indent: -0.25in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background: white; color: #292929; line-height: 107%;"><b><br /></b></span></span></div>
<div class="MsoListParagraphCxSpLast" style="text-align: left; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Arial, Helvetica, sans-serif;"><b>·<span style="font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span><a href="https://www.isa.org/training-and-certifications/isa-training/top-tier-training-for-top-notch-protection/">ISA Cybersecurity Training</a>: </b>The International Society for Automation (ISA) offers a series of four different classes covering ICS security. These class titles include:<o:p></o:p></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt 1in; text-align: left; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #333333;">o<span style="font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span></span><!--[endif]--><span style="color: #333333;">Industrial Networking and Security (TS12)</span></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt 1in; text-align: left; text-indent: -0.25in;">
<span style="color: #333333; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">o<span style="font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span></span><span style="color: #333333; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">Introduction to Industrial Automation Security and the ANSI/ISA99 Standards (IC32C)</span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt 1in; text-align: left; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #333333;">o<span style="font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span></span><!--[endif]--><span style="color: #333333;">Using the ANSI/ISA99 Standard to Secure Your Control System (IC32)<o:p></o:p></span></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt 1in; text-align: left; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #333333;">o<span style="font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span></span><!--[endif]--><span style="color: #333333;">Assessing the Cybersecurity of New or Existing IACS Systems (IC33)<o:p></o:p></span></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt 1in; text-align: left; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #333333;">o<span style="font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span></span><!--[endif]--><span style="color: #333333;">IACS Cybersecurity Design & Implementation (IC34), and<o:p></o:p></span></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt 1in; text-align: left; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #333333;">o<span style="font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span></span><!--[endif]--><span style="color: #333333;">IACS Cybersecurity Operations & Maintenance (IC37)<o:p></o:p></span></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt 0.5in; text-align: left;">
<span style="color: #333333;"><span style="font-family: Arial, Helvetica, sans-serif;">As I understand, each course has an associated certificate (<b><i><u>not certification</u></i></b>) with each class which you can receive after you satisfactorily pass a written test.<o:p></o:p></span></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt 0.5in; text-align: left;">
<span style="color: #333333;"><span style="font-family: Arial, Helvetica, sans-serif;">Overall, the ISA training has come a long way and should help with understanding <i>practical</i> ICS security.<o:p></o:p></span></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt 0.5in; text-align: left;">
<span style="color: #333333;"><span style="font-family: Arial, Helvetica, sans-serif;">You can find out more information regarding the ISA classes <a href="https://www.isa.org/training-and-certifications/isa-training/top-tier-training-for-top-notch-protection/">here</a>.</span></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt 0.5in; text-align: left;">
<br /></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt; text-align: left;">
<span style="color: #333333; font-family: Arial, Helvetica, sans-serif;"><b>READING RECOMMENDATIONS</b></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt; text-align: left;">
<span style="color: #333333; font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt; text-align: left;">
<span style="color: #333333;"><span style="font-family: Arial, Helvetica, sans-serif;">In regards to reading, I’d highly recommend the following documents to read and establish your baseline knowledge of ICS security. </span></span></div>
<div style="background: white; line-height: 12pt; margin: 6pt 0in 0.0001pt; text-align: left;">
</div>
<ul style="text-align: left;">
<li><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;"><span style="color: #333333;"><a href="https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final"><i><span style="font-weight: normal;">Guide to Industrial Control Systems (ICS) Security</span></i><span style="font-weight: normal;">, NIST SP 800-82 R2</span></a></span></b><span style="color: #333333; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">: Even though this is issued by the National Institute of Standards and Technology (NIST) it is a decent “textbook” prepared to give the reader a comprehensive view of ICS and the security issues associated with “operational technology (OT).” I’d recommend the student read this document before moving ahead to any of the training above. By the way, this is free.<br /></span></li>
<li><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;"><i><span style="color: #333333;"><a href="https://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS-Cybersecurity.pdf"><span style="font-style: normal; font-weight: normal;">An Abbreviated History of Automation & Industrial Controls Systems and Cybersecurity</span></a></span></i></b><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;"><span style="color: #333333;">, SANS: </span></b><span style="color: #333333; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">This document is a high-level introduction to industrial controls, control theory, the history of industrial controls and a history of the security issues affecting ICS – including the infamous Stuxnet. This information will be very helpful to the reader as they progress through the courses above and in their work. Again, another resource available at no charge.<br /></span></li>
<li><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;"><i><span style="color: #333333;"><a href="https://smile.amazon.com/Industrial-Network-Security-Second-Infrastructure/dp/0124201148/ref=sr_1_1?ie=UTF8&qid=1510115264&sr=8-1&keywords=industrial+network+security"><span style="font-style: normal; font-weight: normal;">Industrial Network Security, by Eric D. Knapp and Joel Thomas Langill, Syngress Press</span></a></span></i></b><span style="color: #333333; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">: Although a $40 investment, this book offers excellent information on ICS and ICS security you will not normally see in the resources above or in other books written on SCADA security. Messrs. Knapp and Langill provide excellent, real-world perspective on ICS security. So, if you’re serious about your ICS security training, I strongly recommend you get this book and read/study it.</span></li>
</ul>
<br />
<div class="MsoListParagraphCxSpFirst" style="margin-left: 1in; text-align: left;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: 0in; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">I’ve been lucky in my past 45+ years of work where I’ve operated power plants, evaluated various factories, and had a chance to practice “practical ICS security.” Fortunately, my background has given me the tools to advance in this area but I’ve also taken advantage of the resources above.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: 0in; text-align: left;">
<br /></div>
<div align="center" class="MsoListParagraphCxSpMiddle" style="margin-left: 0in; mso-add-space: auto; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;">### END ###<o:p></o:p></span></div>
<div style="text-align: left;">
</div>
<div class="MsoListParagraphCxSpLast" style="margin-left: 1in; text-align: left;">
<br /></div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-6696060608656189952017-10-23T09:10:00.002-07:002017-10-23T09:10:53.177-07:00<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal" style="text-align: center;">
<b><span style="font-size: large;">REPORT FROM NERC GRIDSECCON</span><o:p></o:p></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Last week I attended and spoke at the North American Electric Reliability Corporation (NERC) GRIDSECCON – electric grid security conference in St. Paul, Minnesota. The meeting was very well attended with around 500 attendees from around the US, Canada, and even Japan. My compliments to the organizers! It was a terrific meeting and worth everyone’s time.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I’d like to raise three key points that surfaced during the meeting and go into more detail on one of them.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoListParagraphCxSpFirst" style="text-align: left; text-indent: -0.25in;">
</div>
<ol style="text-align: left;">
<li>T<span style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">here were several presentations regarding the risks to critical infrastructure by commercially available drones. This was a bit of a surprise to many attendees since the drone threat has not really be recognized as one.<br /></span></li>
<li> <span style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">A major threat to electric utilities is the challenges of </span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">INSIDER THREAT</b><span style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">. This is an issue that makes one wonder “why would anyone want to attack my company from the inside?” Well, the NERC Electricity-Information Sharing and Analysis Center (E-ISAC) team mentioned this risk repeatedly. So, take some time to be sure you are paying attention to the inside of your company for both physical and cyber-attacks and disruptions.<br /></span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-stretch: normal; font-variant-numeric: normal; line-height: normal; text-indent: -0.25in;"> </span><span style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">The third threat of mention is </span>of <span style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">the “bad guys” trying to harvest credentials that can be used against the company. This is where I’d like to spend a few extra lines of text.</span></li>
</ol>
<div class="MsoNormal">
<b><span style="font-family: Arial, Helvetica, sans-serif;">CREDENTIAL HARVESTING<o:p></o:p></span></b></div>
<div class="MsoNormal">
<b><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Right now, the current and potential attackers are trying to harvest and collect credentials used for cyber access into a utility/energy company. These credentials can make the attacker’s life much easier and using ill-gotten credentials has been demonstrated in such notorious attacks as in the Ukraine. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">The attackers try to harvest credentials via the “normal” means such as using <b>PHISHING </b>attacks on email. But the attackers are also surveying and monitoring social media for a user’s credentials and password access answers. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">For example, if I know a person works at Utility X, then I can monitor their social networking – including non-work-related posts – for such things as the names of their kids, pets, mother’s maiden name, etc. All good information to use when you are trying to reset a password. Also, by monitoring their social networking I may be able to glean information about upcoming utility operations such as a planned outage that keeps Dad or Mom away from their kid’s soccer game. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Useful information for the attacker.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">One particular issue that is really disconcerting is how individuals use the same username and password for their social networks and personal email as they use for work. <b>THIS IS REALLY DANGEROUS AND SHOULD NOT BE DONE! </b>If I can hack into your social network and determine your username and password, that allows me to “pivot” to the utility username and log in and enter the utility network.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Such a practice should not be condoned by any organization and, in fact, should be an Employee Awareness posting at least every six months.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<b><span style="font-family: Arial, Helvetica, sans-serif;">CONCLUSION<br /><br /><o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">NERC GRIDSECCON was a useful meeting and I look forward to next year’s event – somewhere in the Western Electric Coordinating Council (WECC) territory. This meeting raised some very key points of concern and as you’ve seen above the utility and critical infrastructure management needs to pay attention to Drones, the Insider Threat, and Credential Harvesting.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Thanks for reading!</span><o:p></o:p></div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-24105355994448309942017-06-09T09:37:00.000-07:002017-06-09T09:37:40.632-07:00WannaCry Ransomware and Industrial Control Systems<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; text-align: center; vertical-align: baseline;">
<b><i>The following article was posted on my LinkedIn account and was prepared by me with assistance from several of my colleagues at my employer, BBA (<a href="http://www.bba.ca/">www.bba.ca</a>). </i></b></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; text-align: center; vertical-align: baseline;">
<b><i>The actual article can be located at this <a href="https://www.linkedin.com/pulse/wannacry-industrial-control-systems-ernie-hayden?trk=v-feed&lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3B95NlTNqDlksjlNHPNNZ7gA%3D%3D">LINK</a>.</i></b></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; text-align: center; vertical-align: baseline;">
###</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
There’s been substantial discussion in the media and on the interwebs about the ransomware called “WannaCry”. This malicious software (malware), which blocks access to data until a ransom is paid, has been destructive. It’s caused financial consequences as well as extreme inconveniences for critical businesses across the globe, such as the National Healthcare Service in the United Kingdom, which was one of the first and most significant victims of the attack (a total of <a href="https://www.cnet.com/news/wannacry-ransomware-wimp-why-security-pros-are-staying-chill/"><span style="color: #8c68cb; font-family: inherit;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border-color: initial; border-image: initial; border-style: initial; cursor: pointer; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; outline-color: initial; outline-width: initial;">300,000 computers in 150 countries</span></span> </a>had been locked by WannaCry as of the end of May 2017).</div>
<h3 style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.85); font-family: "Source Sans Pro", Helvetica, Arial, sans-serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 28px; margin: 2.4rem 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
WHAT IS A RANSOMWARE?</h3>
<div class="slate-resizable-image-embed slate-image-embed__resize-right" data-imgsrc="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAxpAAAAJGI0MThmNDFhLTFkY2QtNDZmZS05Zjc5LTYyY2M0ODBlNjYzMA.jpg" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; clear: both; color: rgba(0, 0, 0, 0.7); float: right; font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin: 0px 0px 0px 32px; max-width: 432px; outline: 0px; padding: 0px; vertical-align: baseline;">
<img src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAxpAAAAJGI0MThmNDFhLTFkY2QtNDZmZS05Zjc5LTYyY2M0ODBlNjYzMA.jpg" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: auto; line-height: inherit; margin: 0px; max-width: 100%; outline: 0px; padding: 0px; vertical-align: baseline;" /></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from a cyber program that blocks access to data until a ransom is paid. It displays a message requesting payment to unlock the data.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
Where did ransomware originate? The first documented case appeared in 2005 in the United States, but quickly spread around the world.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
How does it affect a computer? The software is normally contained within an attachment to an email that masquerades as something innocent.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
How much are victims expected to pay? The ransom demanded varies. Victims of a 2014 attack in the UK were charged $864. However, there’s no guarantee that paying will get your data back<em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: Georgia, "Source Serif Pro", serif; font-size: 0.975em; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">.</em></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
How did WannaCry operate? It appears to have used a flaw in Microsoft's software, discovered by the National Security Agency and leaked by hackers, to spread rapidly across networks locking away files.</div>
<h2 style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.85); font-family: "Source Sans Pro", Helvetica, Arial, sans-serif; font-size: 26px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin: 2.8rem 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
IT VS. OT SYSTEMS</h2>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
However, it appears that the ransomware was focused on the <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: Georgia, "Source Serif Pro", serif; font-size: 0.975em; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Enterprise IT </em>systems and not the <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: Georgia, "Source Serif Pro", serif; font-size: 0.975em; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Operations Technology (OT), also known as</em> <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: Georgia, "Source Serif Pro", serif; font-size: 0.975em; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Industrial Controls Systems (ICS),</em> although a <a href="http://ca.reuters.com/article/technologyNews/idCAKCN18B1XG-OCATC" rel="nofollow noopener" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: #8c68cb; cursor: pointer; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: none; padding: 0px; text-decoration-line: none; vertical-align: baseline; word-wrap: break-word;" target="_blank">small number of U.S. critical infrastructure operators were reportedly affected</a>. In any case, understanding the difference between these two types of systems is crucial to ensure the cybersecurity of your plant or facility… and whether or not ransomware like WannaCry can affect them.</div>
<div class="slate-resizable-image-embed slate-image-embed__resize-full-width" data-imgsrc="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAw3AAAAJDVmYTkxYWRmLTVmOWYtNDU1MC04YmMxLThmN2VmYzc1NWIxNg.png" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; clear: both; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin: 3.2rem 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
<img src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAw3AAAAJDVmYTkxYWRmLTVmOWYtNDU1MC04YmMxLThmN2VmYzc1NWIxNg.png" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: auto; line-height: inherit; margin: 0px; max-width: 100%; outline: 0px; padding: 0px; vertical-align: baseline; width: 744px;" /></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
The above figure illustrates the typical separation between Enterprise Information Technology (IT) and Operational Technology (OT), also known as ICS. Enterprise IT is composed of systems used to run a business: emails, time sheet reporting, finance, expense reporting, purchasing, etc. These systems are normally Windows-based, including Windows Servers and Windows operating systems.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
On the OT side of the business, most of the “computers” are small and specialized machines, such as programmable logic computers (PLCs), distributed control systems (DCSs), engineering work stations, historians (basically focused, real-time databases), etc. Some Windows operating systems are used on the OT side, but there are also many other types of industrial communications protocols for data exchanges beyond normal TCP/IP.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
Most importantly, Enterprise IT networks are usually connected to the Internet, while OT networks tend to be separated from the world wide web. There’s normally no direct communication links between IT and OT networks. That’s why WannaCry ransomware is affecting applications and data on Enterprise IT systems more than on the OT systems.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
To date, a handful of cases where ICS were infected were reported. Nonetheless, “the news should put all companies that rely on industrial control systems (ICS) on high alert because the choices available to protect the systems within an industrial process facility are much more limited than those in corporate IT”, <a href="http://www.esecurityplanet.com/threats/wannacry-ransomware-hits-u.s.-critical-infrastructure.html" rel="nofollow noopener" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: #8c68cb; cursor: pointer; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: none; padding: 0px; text-decoration-line: none; vertical-align: baseline; word-wrap: break-word;" target="_blank">explained PAS Global CEO this week</a>. Indeed, there are opportunities for WannaCry to locate and encrypt an unpatched Windows system in any ICS.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
As of this time, there are no verified examples where WannaCry attacked and “bricked” a human machine interface (HMI) on a factory floor or caused an industrial system to fail quietly or catastrophically. But the opportunities are present wherever Windows operating systems are installed in the ICS in such places as HMIs, ICS engineering workstations, etc. ICS components of a plant are not patched or updated as often as IT systems components for a simple reason: reboot activities and software uploads require a production shutdown or the production lines must be in “safe mode” to avoid undesirable consequences on the production systems.</div>
<h3 style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.85); font-family: "Source Sans Pro", Helvetica, Arial, sans-serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 28px; margin: 2.4rem 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
RECOMMENDATIONS TO CONSIDER</h3>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
Here are four basic recommendations to ensure that ransomware, such as WannaCry, doesn’t endanger your production line and operations:</div>
<ol style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; list-style-image: initial; list-style-position: initial; margin: 3.2rem 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
<li style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 2.4rem 0px 2.4rem 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">Make sure the ICS is separated from the Enterprise Information Technology (IT) network and from the Internet where the WannaCry malware could migrate.</li>
<li style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 2.4rem 0px 2.4rem 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;"> ICS operators/engineers/security personnel should make it a high priority to patch the Windows systems as soon as practical to reduce the risk and impact of the WannaCry malware.</li>
<li style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 2.4rem 0px 2.4rem 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">ICS operators should ensure that any portable media (e.g., USB drives) and/or laptops/test equipment capable of “carrying” the WannaCry malware (or any malware in all cases) is checked for known malware <em style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: Georgia, "Source Serif Pro", serif; font-size: 0.975em; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">before</em> the portable media even comes into contact with the ICS and its components.</li>
<li style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 2.4rem 0px 2.4rem 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">ICS operators, engineers and security personnel should make it a point to closely monitor the <a href="https://ics-cert.us-cert.gov/" rel="nofollow noopener" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: #8c68cb; cursor: pointer; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: none; padding: 0px; text-decoration-line: none; vertical-align: baseline; word-wrap: break-word;" target="_blank">US ICS-CERT alerts and advisories</a> or <a href="https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new." rel="nofollow noopener" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: #8c68cb; cursor: pointer; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: none; padding: 0px; text-decoration-line: none; vertical-align: baseline; word-wrap: break-word;" target="_blank">subscribe to their mail alert</a>.</li>
</ol>
<h3 style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.85); font-family: "Source Sans Pro", Helvetica, Arial, sans-serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 28px; margin: 2.4rem 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
SUMMARY</h3>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
Simply stated, WannaCry can impact ICSs and susceptible components; it takes hard work and constant, 24/7 due-diligence to stay on top of the security of your ICS. Assuming the risks of a breach or successful attack should be a mantra and should always be at the top of everyone’s minds.</div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-family: "Source Serif Pro", serif; font-size: 21px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; outline: 0px; padding: 0px; text-align: center; vertical-align: baseline;">
<b>###</b></div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-30482319798703765962017-01-09T11:01:00.000-08:002017-01-09T11:01:40.170-08:00DHS Designates Election Infrastructure as a Critical Infrastructure Subsector<div dir="ltr" style="text-align: left;" trbidi="on">
On Friday, January 6, 2017, Secretary of the US Department of Homeland Security announced that DHS has designated the US Election System as "CRITICAL INFRASTRUCTURE."<br />
<br />
In the <a href="https://www.dhs.gov/news/2017/01/06/statement-secretary-johnson-designation-election-infrastructure-critical">press release</a>, Johnson noted that <b><i>"Given the vital role elections play in our country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure."</i></b><br />
<b><i><br /></i></b>
According to the press release, "Election Infrastructure" is defined as:<br />
<br />
<br />
<ul style="text-align: left;">
<li>Storage facilities</li>
<li>Polling places</li>
<li>Centralized vote tabulation locations</li>
<li>Information and communications technology to include:</li>
<ul>
<li>Voter registration databases</li>
<li>Voting machines</li>
<li>Other systems to manage the election process and report and display results on behalf of state and local governments</li>
</ul>
</ul>
<div>
<br /></div>
<div>
Johnson reiterated that this designation <u style="font-style: italic; font-weight: bold;">does not</u> mean a federal takeover, regulation or oversight or intrusion concerning elections in the US. The designation does not change the roles state and local governments have in administering and running elections.</div>
<div>
<br /></div>
<div>
However, the designation as Critical Infrastructure does mean that election infrastructure does become a priority within the National Infrastructure Protection Plan (NIPP).</div>
<div>
<br /></div>
<div style="text-align: center;">
<b>###</b></div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-52485890793687138772016-10-22T15:48:00.002-07:002016-10-22T15:48:38.043-07:00US Elections System as Critical Infrastructure?<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
What is "Critical Infrastructure?"</h2>
According to the US Department of Homeland Security "Critical Infrastructure" includes those assets, systems, and networks whether physical or virtual, that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.<br />
<br />
<a href="http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil">Presidential Policy Directive-21 (PPD-21), "Critical Infrastructure Security and Resilience,"</a> identifies 16 critical infrastructure sectors. These sectors include:<br />
<br />
<ul style="text-align: left;">
<li>Chemical Sector</li>
<li>Commercial Facilities Sector</li>
<li>Communications Sector</li>
<li>Critical Manufacturing Sector</li>
<li>Dams Sector</li>
<li>Defense Industrial Base</li>
<li>Emergency Services Sector</li>
<li>Energy Sector</li>
<li>Financial Services Sector</li>
<li>Food and Agriculture Sector</li>
<li>Government Facilities Sector</li>
<li>Healthcare and Public Health Sector</li>
<li>Information Technology Sector</li>
<li>Nuclear Reactors, Materials, and Waste Sector</li>
<li>Transportation Sector, and </li>
<li>Water and Wastewater Sector</li>
</ul>
<h2 style="text-align: left;">
What About the US Elections System/Sector?</h2>
<div>
In the news these past six weeks there has been an elevated discussion regarding the US election system and whether or not it should be identified as "Critical Infrastructure" and thus protected in the same way and means as the other 16 identified infrastructures. This is aggravated by Mr. Trump questioning the integrity of the US election system and elevated concerns raised by the media that our country's enemies may take action to negatively impact the results of the voting on Tuesday, November 8th.</div>
<div>
<br /></div>
<div>
In early August, Secretary of the Department of Homeland Security, Jeh Johnson, observed:</div>
<div>
<br /></div>
<br />
<div style="text-align: left;">
<span style="font-family: inherit;"><span style="background: white; line-height: 115%;"><i><b>"There's a vital national interest in our election process, so I do think we need to consider whether it should be considered by my department and others as critical infrastructure." However ... </b></i></span></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><i><b><span style="background: white; line-height: 115%;"> "There's no one federal election system. There are some 9,000 jurisdictions involved in the election process," Johnson said. (<a href="http://www.washingtonexaminer.com/homeland-eyes-special-declaration-to-take-charge-of-elections/article/2600592">Link</a>)</span></b></i></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><span style="background: white; line-height: 115%;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><span style="background: white; line-height: 115%;">So, Johnson's perception is that there is no single "Election Infrastructure Sector" per se and it may be challenging to quickly and effectively identify it as "Critical Infrastructure."</span></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><span style="background: white; line-height: 115%;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><span style="background: white; line-height: 115%;">I even heard of this issue at a recent <a href="http://www.nerc.com/pa/CI/CIPOutreach/Pages/GridSecCon.aspx">conference </a>held by the North American Electric Reliability Corporation (NERC) where a "new" critical infrastructure sector could be the US election system.</span></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><span style="background: white; line-height: 115%;"><br /></span></span></div>
<div style="text-align: left;">
<span style="background-color: white;">With some investigation by this writer, an article published on September 13, 2016, in <a href="http://fedscoop.com/dhs-election-cybersecurity-concerns-will-not-prompt-a-status-upgrade-yet"><i style="font-weight: bold;">Fedscoop,</i> </a>was located noting DHS Assistant Secretary for Cybersecurity, Andy Ozment, said that DHS will not classify election systems as critical infrastructure before the November 2016 presidential election.</span></div>
<div style="text-align: left;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: left;">
<span style="background-color: white;">Ozment's quote continued:</span></div>
<div style="text-align: left;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: left;">
<span style="background-color: white;"><b><i>"This is not something we're looking to in the near future. This is a conversation we're having in the long term with state and local government, who are responsible for voting infrastructure. We're focused right now on what we can usefully offer that local and state government will find valuable.</i></b></span></div>
<div style="text-align: left;">
<span style="background-color: white;"><b><i><br /></i></b></span></div>
<div style="text-align: left;">
<span style="background-color: white;"><b><i>"From our perspective, it gives us more ability to help. It does not put DHS in charge."</i></b></span></div>
<div style="text-align: left;">
<span style="background-color: white;"><b><i><br /></i></b></span></div>
<div style="text-align: left;">
<span style="background-color: white;">It will be fascinating to see how this conversation progresses -- especially if Mr. Trump's noisy questioning of the integrity of the voting process continues through and after the presidential election.</span></div>
<div style="text-align: left;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: left;">
<span style="background-color: white;">At a minimum, perhaps the "Election System Sector" could be included under the auspices of the "Government Sector" Critical Infrastructure designation rather than adding "Number 17."</span></div>
<div style="text-align: left;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: center;">
<span style="background-color: white;">###</span></div>
<div style="border: 0px; box-sizing: border-box; color: #4c5051; font-family: ff-tisa-web-pro, serif; font-size: 1.125em; font-stretch: inherit; font-variant-numeric: inherit; line-height: 1.5em; margin-bottom: 30px; padding: 0px 0px 0px 90px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; box-sizing: border-box; color: #4c5051; font-family: ff-tisa-web-pro, serif; font-size: 1.125em; font-stretch: inherit; font-variant-numeric: inherit; line-height: 1.5em; margin-bottom: 30px; padding: 0px 0px 0px 90px; vertical-align: baseline;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><span style="background: white; line-height: 115%;"><br /></span></span></div>
<div class="MsoNormal" style="text-align: left;">
<o:p></o:p></div>
<div style="text-align: left;">
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<o:p></o:p></div>
</div>
<br />
<br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-26691382224401273782016-10-18T18:15:00.001-07:002016-10-18T18:15:47.769-07:00Review - WEF Global Competitiveness Report<div dir="ltr" style="text-align: left;" trbidi="on">
This September 2016 the World Economic Forum (WEF) published its annual <b><i><a href="https://www.weforum.org/reports/the-global-competitiveness-report-2016-2017-1">Global Competitiveness Report 2016-17</a>.</i></b> This report is almost 400 pages of a fairly comprehensive analysis of each country in the world and its relative competitiveness based on 12 separate factors (shown below):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihuxA6FJHFVbEZrjT2UtSa5A2VCiIBmT25I7dpYJbXJk7C5RIAGZTstI7wRMEw5n6uGrfEgAdu6YSueY01VVWAuDYRGMgZLoK8JcXN_x6_akxpfizMx6acx2pzbQiJpo-sd-8JXIM91nHB/s1600/Cover+Picture2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihuxA6FJHFVbEZrjT2UtSa5A2VCiIBmT25I7dpYJbXJk7C5RIAGZTstI7wRMEw5n6uGrfEgAdu6YSueY01VVWAuDYRGMgZLoK8JcXN_x6_akxpfizMx6acx2pzbQiJpo-sd-8JXIM91nHB/s640/Cover+Picture2.png" width="443" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQnCeygXTB0ue2JJxAKWQdiJhQzGS6jvrcjwAmsw3-miXcDebTFrEo2j6BW_SUu9D26wd4WEvI8BU0TazcxH35S-XG3ZLzxgspFfUcXaA2e6cYgtZA3i3azXq_xr9efHm0iZugkQS8Q_1S/s1600/12+Factors+Chart.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQnCeygXTB0ue2JJxAKWQdiJhQzGS6jvrcjwAmsw3-miXcDebTFrEo2j6BW_SUu9D26wd4WEvI8BU0TazcxH35S-XG3ZLzxgspFfUcXaA2e6cYgtZA3i3azXq_xr9efHm0iZugkQS8Q_1S/s400/12+Factors+Chart.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And based on these 12 factors, the factors themselves are broken down into key elements for:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul style="text-align: left;">
<li>Factor-Driven Economies</li>
<li>Efficiency-Driven Economies, and</li>
<li>Innovation-Driven Economies</li>
</ul>
<div>
For instance Institutions and Infrastructure are key "Basic" requirements necessary for an economy to thrive and compete.</div>
<div>
<br /></div>
<div>
The WEF analysis then used these factors to ascertain the competitiveness of a country relative to the rest of the world as well as to its geographic region in many cases. For instance, the top 10 most competitive countries using this methodology are:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjraxTmmmPugp09cZ5iKQpW5OemDryrJAA6S1FTpxuaQBzOfPfMjl-u2pNI7F6s6VMrhbQsSsZN5hl1uB8idputBLahBnguBPx_i6TU-VMTN9Skr_NsERVn28tbXgRQY0Sq4jt_4bGlWb4Y/s1600/top+10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="406" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjraxTmmmPugp09cZ5iKQpW5OemDryrJAA6S1FTpxuaQBzOfPfMjl-u2pNI7F6s6VMrhbQsSsZN5hl1uB8idputBLahBnguBPx_i6TU-VMTN9Skr_NsERVn28tbXgRQY0Sq4jt_4bGlWb4Y/s640/top+10.png" width="640" /></a></div>
<div>
And the bottom 10 are:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5znnebtVjHLCHzytqtnel9XoIeca66krJ5MVIz29C4t5Xf39PXDqe5ClqvIhrOP2jYfACfSTRC0DbmiBdMf__6PDFNt7IiDwsA9mUIs51_SR9m5ZZtHxq12HxDhUZMSwtN8_pwolEKmDd/s1600/Bottom+10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5znnebtVjHLCHzytqtnel9XoIeca66krJ5MVIz29C4t5Xf39PXDqe5ClqvIhrOP2jYfACfSTRC0DbmiBdMf__6PDFNt7IiDwsA9mUIs51_SR9m5ZZtHxq12HxDhUZMSwtN8_pwolEKmDd/s640/Bottom+10.png" width="640" /></a></div>
<h2 style="text-align: left;">
Infrastructure Factor</h2>
<div>
The elements reviewed to calculate each factor are listed in the "Technical Notes and Sources" section at the end of the report. Since this blog is focused on infrastructure there is interest on the elements included in this calculation. These include the following:<br />
<br />
<ul style="text-align: left;">
<li>Quality of overall infrastructure</li>
<li>Quality of roads</li>
<li>Quality of railroad infrastructure</li>
<li>Quality of port infrastructure</li>
<li>Quality of air transport infrastructure</li>
<li>Available airline seat kilometers</li>
<li>Quality of electricity supply</li>
<li>Mobile-cellular telephone subscriptions</li>
<li>Fixed telephone lines</li>
</ul>
<div>
At first glance, this list is missing such elements as fresh/potable water supply, food availability and distribution, etc. However, the "Technological Readiness" factors include the following that could be considered part of the strength of a country's infrastructure:</div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li>Availability of latest technologies</li>
<li>Firm-level technology absorption</li>
<li>Foreign Direct Investment and technology transfer</li>
<li>Internet users</li>
<li>Fixed broadband Internet users</li>
<li>Internet bandwidth</li>
<li>Mobile broadband subscriptions</li>
</ul>
</div>
<h2 style="text-align: left;">
Conclusion</h2>
<div>
As usual, the quality and content of this report are very good. It is compelling and interesting and a useful reference for country policy development.</div>
<div>
<br /></div>
<div style="text-align: center;">
###</div>
<div>
<br /></div>
</div>
<br />
<br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-71060563965946766262016-07-29T15:51:00.000-07:002016-07-29T15:51:54.425-07:00IMPACT OF POPULATION SHIFTS ON CRITICAL INFRASTRUCTURE -- Summary of OCIA Report<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "gillsansmt"; font-size: 10.0pt;">In early July the U.S. Department of Homeland Security (DHS)/<a href="https://www.dhs.gov/office-cyber-infrastructure-analysis">Office of Cyber and Infrastructure Analysis (OCIA)</a> published an analysis entitled <b><i>Impact of Population Shifts on Critical Infrastructure</i>. </b>The report is a very compelling and interesting read and gives you a sense of how hard it is to augment infrastructure when the population is increasing (such as in the areas where fracking is in progress) and, how difficult it is to maintain current infrastructure when your tax base -- i.e., population -- is leaving as in the Rust Belt of the US.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4hPU22zsCczSJ17r0MHyl45ctWdNNnjNevHjl80hBKRm4iOSOFN1X2TUHgj2qXnJpIJ3N4rMNu6RCkuCUcKzmTjpjpOj5MQPZRKtWOB8fHSvh6W-iakFYrVY4Y7Gal7caT6D4NP8UwdJP/s1600/OCIA+Document+View.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4hPU22zsCczSJ17r0MHyl45ctWdNNnjNevHjl80hBKRm4iOSOFN1X2TUHgj2qXnJpIJ3N4rMNu6RCkuCUcKzmTjpjpOj5MQPZRKtWOB8fHSvh6W-iakFYrVY4Y7Gal7caT6D4NP8UwdJP/s640/OCIA+Document+View.jpg" width="561" /></a></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: "gillsansmt";"><span style="font-size: 13.3333px;">To give the reader a sense of those areas in the continental US where population increase and decline may contribute to stresses on installation and maintenance of critical infrastructure is shown in a map shown below:</span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b><span style="color: #00568e; font-family: "gillsansmt-bold" , "sans-serif"; mso-bidi-font-family: GillSansMT-Bold;"><br /></span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpbJUlTTLSJJh-NEhQoi1zWD80xtswAWNBvqq5VkCbVveB9hQ3abWfBDbdLsHS53nTCrTyfpvQT4GeOIZg11zQSAf6Z_3R4riOWct9vVlD3duS8KDXzUqpAWzQYXGwXLHC-HOi25xDfZyQ/s1600/Map.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpbJUlTTLSJJh-NEhQoi1zWD80xtswAWNBvqq5VkCbVveB9hQ3abWfBDbdLsHS53nTCrTyfpvQT4GeOIZg11zQSAf6Z_3R4riOWct9vVlD3duS8KDXzUqpAWzQYXGwXLHC-HOi25xDfZyQ/s400/Map.jpg" width="400" /></a></div>
<br />
The map does reflect population shifts from the Northeast and Midwest to the South and West -- especially Texas, Georgia and Arizona/Nevada. According to the report, the new growth is in part because of high-technology magnet areas in the West and South, energy development of shale gas and shale oil in rural areas throughout the country, and regrowth in cities in the South and West with housing-led reversals. This growth is also partially because of lower costs of living, potentially including lower tax rates.<br />
<br />
Rapidly increasing populations result in:<br />
<br />
<ul style="text-align: left;">
<li>Increased demand for services</li>
<li>Increased infrastructure use</li>
<li>Increased rural roadway use requiring expensive reconstruction and repair</li>
<li>Reduced available downtime for infrastructure maintenance and repairs</li>
<li>Challenges in funding immediately needed infrastructure upgrades since available money may be delayed due to tax and revenue stream deferrals to later years.</li>
<li>Increased frequency and severity of disruptions to water and wastewater systems</li>
</ul>
<div>
Reduced populations result in:</div>
<div>
<ul style="text-align: left;">
<li>Reduced tax base resulting in funding shortfalls for infrastructure maintenance and repairs</li>
<li>Uneven population densities within metro areas</li>
</ul>
<h2 style="text-align: left;">
Conclusions</h2>
</div>
<div>
The report does offer some approaches to address bot increasing and declining populations and the impacts on critical infrastructure. The key recommendations for both cases are:</div>
<div>
<ol style="text-align: left;">
<li><b>Strategic Planning -- </b>For rapidly increasing population growth, strategic planning is critical for meeting increases in demand -- especially because of the lead-time needed for financing; designing and planning projects; obtaining regulatory approvals; siting and constructing the infrastructure. <br /></li>
<li><b>Public-Private Partnerships -- </b>These partnerships and their collective approach can be useful for infrastructure planning/development/maintenance during times of population growth or decline. Don't forget, most of the critical infrastructure in the US is privately owned. And because these private entities rely on state/local government approval to deploy large infrastructure projects their partnership and cooperation is critical.</li>
</ol>
<div>
<div style="text-align: center;">
<b>###</b></div>
<br /></div>
</div>
<br />
<div>
<div>
<br /></div>
</div>
<br />
<div>
<br /></div>
<br />
<div>
<br /></div>
<br />
<br />
<br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-8707838729710746712016-06-23T13:50:00.001-07:002016-06-23T13:50:14.717-07:00HOW TO "READ" THE ECONOMIST MAGAZINE<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2NBSo97l8b7JZ3JzN0L539T6_OeUD1nfFAGi-e-Rc_3PrBQc6p7GVYYu0Y4eGqkqua3dXR8MRrMTb8J7TKbMZSnxs85d0QM8-0HkFEZyUbf9x4JO3-ccw_pL5Y4f5Yiyk5Uso9ATepkIn/s1600/Economist.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2NBSo97l8b7JZ3JzN0L539T6_OeUD1nfFAGi-e-Rc_3PrBQc6p7GVYYu0Y4eGqkqua3dXR8MRrMTb8J7TKbMZSnxs85d0QM8-0HkFEZyUbf9x4JO3-ccw_pL5Y4f5Yiyk5Uso9ATepkIn/s400/Economist.jpg" width="400" /></a></div>
<br />
<br />
<br />
<br />
<div style="line-height: 24.0pt; margin-bottom: 24.0pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">My full-time job is that of a security consultant, but I am also a hobbyist student of geopolitics. My favorite (or is that<span class="apple-converted-space"> </span><em>favourite</em>) publication in this regard is <strong><i>The Economist</i></strong><span class="apple-converted-space"> </span>published weekly. Unfortunately due to my consulting work along with other personal and professional obligations I often don't have the opportunity to really "read" the magazine from cover-to-cover. But, rather than place the magazine<span class="apple-converted-space"> </span>on my notorious "to be read" stack, I have established a technique I'd like to share on how I can take some quality time to glean the contents of the magazine and at least add quickly to my geopolitical knowledge.<o:p></o:p></span></div>
<div style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt;">
<strong><span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">PHASE I: THE CONTENTS (~ Page 5)</span></strong><span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;"><o:p></o:p></span></div>
<div style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt;">
<span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">When I receive the magazine the first section I turn to is<span class="apple-converted-space"> </span><strong>Contents</strong>. Here I read the different titles of the articles but I'm especially sure to read the side-boxes (see below) since they<span class="apple-converted-space"> </span>offer a good sense of the themes covered in this week's issue.<o:p></o:p></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimDc0HkkrGwm8w0TsBG45PJH714iBJCIjsyOV9nHPSVwIW0MhsLAkjZymYfr0QJGTM7Az1vfBOqrT1p5FIzJpvE6m94K-_571qyvFqdpc0SIruZwnQse7hyJ2RTG-e4rgMt6CxjwEBEQOh/s1600/Economist+2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimDc0HkkrGwm8w0TsBG45PJH714iBJCIjsyOV9nHPSVwIW0MhsLAkjZymYfr0QJGTM7Az1vfBOqrT1p5FIzJpvE6m94K-_571qyvFqdpc0SIruZwnQse7hyJ2RTG-e4rgMt6CxjwEBEQOh/s400/Economist+2.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Read the Boxes</td></tr>
</tbody></table>
<div class="center" style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt; text-align: justify;">
<b style="line-height: 24pt; text-align: left;"><span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">PHASE II: THE WORLD THIS WEEK (~ Pages 8-10)</span></b></div>
<div style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt;">
<span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">This is the most interesting and most effective part of my time with <strong><i>The Economist</i></strong>. On these three pages, I get to view and digest the weekly cartoon and then get a good flavor of the world's news that I certainly don't obtain from the US television or newspapers. For instance, in this week's issue, there is news from Nigeria, Kenya, Ethiopia, Bahrain, Indonesia, Bangladesh besides the "normal" news sources of the US political scene, China, Paris and of course the UK.<o:p></o:p></span></div>
<div style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt;">
<strong><span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">PHASE III: LEADERS (~ Pages 13-17)</span></strong><span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;"><o:p></o:p></span></div>
<div style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt;">
<span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">This part of the magazine is my favorite. Here you can gain a sense of the pros/cons, plusses/minuses of the issues raised by the editors of the magazine. I especially like the coverage of these editorial comments since they cover most of the world and, again, are not focused on the US. Yes, there are comments on US politics (e.g., the 2016 election, Orlando, etc.) but the other editorial coverage is in areas that I am not familiar or often exposed. <o:p></o:p></span></div>
<div style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt;">
<strong><span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">PHASE IV: SKIMMING THE PAGES </span></strong><span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;"><o:p></o:p></span></div>
<div style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt;">
<span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">Finally, during my 15 minutes of quality time with the magazine, I'll skim through the different sections usually pausing on some of the editorials, reviewing any graphics/maps, and speeding through the different text boxes.<o:p></o:p></span></div>
<div style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt;">
<span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">Of course, if I'm ready to get on a plane or have some added time then I'll be sure to read the magazine in more depth but my focal points will generally begin with my four phases above.<o:p></o:p></span></div>
<div style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt;">
<strong><span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">CONCLUSION</span></strong><span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;"><o:p></o:p></span></div>
<div style="color: rgba(0, 0, 0, 0.701961); line-height: 24pt; margin: 0in 0in 24pt;">
<span style="font-family: "Helvetica","sans-serif"; font-size: 13.5pt;">If you don't already subscribe to <strong><i>The Economist</i></strong><em>, </em>I'd highly recommend you do. You'll find that the view offered is so much more superior than US television and is more portable than my other favorite reads <strong><i>The New York Times</i></strong><em> </em>or <strong><i>Washington Post</i></strong>.<o:p></o:p></span></div>
<br />
<div class="MsoNormal">
<br /></div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-69717287106233882382016-05-23T11:14:00.001-07:002016-05-23T11:14:21.204-07:00Earthquake Risk and US Highway Infrastructure<div dir="ltr" style="text-align: left;" trbidi="on">
Thanks to our friends at the <a href="http://www.fas.org/">Federation of American Scientists (FAS)</a> a recent Congressional Research Service report entitled <i style="font-weight: bold;"><a href="http://fas.us8.list-manage.com/track/click?u=33c6e6fc9f63792ebcbb7ef9d&id=bf90a228e0&e=d0dc8ca93c">Earthquake Risk and U.S. Highway Infrastructure: Frequently Asked Questions</a></i> was posted. This 11-page report is an excellent overview of the current state of natural and man-made (read - "Fracking") earthquake impact on the US highway system.<br />
<span style="color: inherit; font-size: inherit;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ_7cpkIR_sLWN3cJcZNJu1Qqwwnp-5jzXej6lqyoGYtlYmBY8iOH40s7Dd6P8vLrvheAwj9a02LeuTWLiVupYBKotpt7Uthjzyy2c3UN-79qyWO-qIdf_TaENAZEyM-25IIeeudhIddFJ/s1600/CRS+Earthquake+Cover.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ_7cpkIR_sLWN3cJcZNJu1Qqwwnp-5jzXej6lqyoGYtlYmBY8iOH40s7Dd6P8vLrvheAwj9a02LeuTWLiVupYBKotpt7Uthjzyy2c3UN-79qyWO-qIdf_TaENAZEyM-25IIeeudhIddFJ/s400/CRS+Earthquake+Cover.jpg" width="400" /></a></div>
<span style="color: inherit; font-size: inherit;"><br /></span>
<span style="color: inherit; font-size: inherit;"><br /></span>
Two figures in the report are very telling as to the concentration of earthquakes and implications on "Shaking expected for Tall Structures Like Bridges" (below)...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0FD4pQh4PHNB2ZtUokBW_Qf-mKvOvY7lVJnHBzyWAeL14xrKpauUm8OhIhH2N3X_NKdZp-GkMvdkKDvp5uvIRKbJIv2kRA-EAQVC3fFvIuN3-y38HFBqp-ZY9nBKMC_82N_q8dH2uPvJQ/s1600/CRS+-+Earthquake+-+Fig+I.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0FD4pQh4PHNB2ZtUokBW_Qf-mKvOvY7lVJnHBzyWAeL14xrKpauUm8OhIhH2N3X_NKdZp-GkMvdkKDvp5uvIRKbJIv2kRA-EAQVC3fFvIuN3-y38HFBqp-ZY9nBKMC_82N_q8dH2uPvJQ/s400/CRS+-+Earthquake+-+Fig+I.jpg" width="400" /></a></div>
<br />
as well as a graphic showing the chance of human-induced and natural earthquakes. (Look at the concentration around Oklahoma presumably due to Fracking.)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdwAFF3TG4TaVeCxbgT0gY-FW_mNm0zqnNsYHNhyGoApq-eiLNxCLO26x9lIeouAeHprun93aFUZO1aWEo985UkJpioUBPRLUV3sJvaTTrLTM9GHBKQ2MCpSlW-CKbeIeM993gB8_OD9Y_/s1600/CRS+-+Earthquake+-+Fig+2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="331" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdwAFF3TG4TaVeCxbgT0gY-FW_mNm0zqnNsYHNhyGoApq-eiLNxCLO26x9lIeouAeHprun93aFUZO1aWEo985UkJpioUBPRLUV3sJvaTTrLTM9GHBKQ2MCpSlW-CKbeIeM993gB8_OD9Y_/s400/CRS+-+Earthquake+-+Fig+2.jpg" width="400" /></a></div>
<h2 style="text-align: left;">
<br /><b>Key Comments in the Report</b></h2>
The report approaches these issues in a FAQ approach...so, here are some quick highlights:<br />
<br />
<b>Q: What Are the Components of Seismic Risk?</b><br />
<b><br /></b>
<b>A: </b>Seismic risk to a highway system is determined by three factors:<br />
<br />
<ul style="text-align: left;">
<li>Likelihood of seismic events of varying magnitudes, and related physical events, often referred to as the hazard;</li>
<li>Vulnerability of highway structures to damage from such events; and</li>
<li>Potential consequences of that vulnerability (e.g., lives lost, economic disruption, etc.)</li>
</ul>
<div>
<b>Q: How Vulnerable Is the U.S. Highway System?</b></div>
<div>
<b><br /></b></div>
<div>
<b>A: </b>"No national database exists on the seismic design and retrofit status of highway system components; thus, a perspective on vulnerability at the national level is unavailable. However, many states with large seismic hazards have compiled data on the vulnerability of highway components within their borders..."</div>
<div>
<br /></div>
<div>
<b>Q: How Vulnerable are Highway Bridges?</b></div>
<div>
<b><br /></b></div>
<div>
<b>A: </b>Basically many of the most vulnerable older bridges -- particularly in the West Coast States -- have been retrofitted to improve seismic resilience; however, many older bridges (around 13,000) in the New Madrid seismic zone (AR, IL, IN, KY, MO, MS, TN) have not been retrofitted.</div>
<div>
<br /></div>
<div>
<b>Q: How Costly is Retrofitting Highway Infrastructure?</b></div>
<div>
<b><br /></b></div>
<div>
<b>A: </b>Because no national data exist on the status of retrofitting existing highway bridges or other infrastructure (e.g.,tunnels, highway systems), no national estimates exist. </div>
<br />
<b><br /></b>
<h2 style="text-align: left;">
Conclusion</h2>
If you are involved in transportation policy or a student of infrastructure, this is a useful starting point to give you a sense of the daunting task of improving the resilience of highway structures against earthquakes.<br />
<br />
<br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-38662757394187454912016-05-19T14:15:00.000-07:002016-05-19T14:15:42.074-07:00"The Business of Hacking" -- Recommended Reading for CEOs, Boards of Directors, Governance Leadership<div dir="ltr" style="text-align: left;" trbidi="on">
What is your view of the "hacking community?" Is it one of masked computer operators working in a darkened room or that of a white-coated laboratory technician? Well, your views of the hackers working on new products and "services" to steal your information may be substantially changed after your read the most recent document from Hewlett Packard Enterprise entitled <b><i>The Business of Hacking: Business Innovation Meets the Business of Hacking.</i></b><br />
<b><i><br /></i></b>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRB9LhQyYkMZnlQjTvYIDOeayyZEcMCEpiNLXdSWB9cwYTkBELRFsGr7EogcNVJ1yl7G4Q7g-QHZJf-0JnfuqEztNcySYTWmfExtrrog7qz-wu93v5Cg9QcOgKCzALPGrJSP0Tj97m-Ony/s1600/HP+Business+of+Hacking+Cover.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRB9LhQyYkMZnlQjTvYIDOeayyZEcMCEpiNLXdSWB9cwYTkBELRFsGr7EogcNVJ1yl7G4Q7g-QHZJf-0JnfuqEztNcySYTWmfExtrrog7qz-wu93v5Cg9QcOgKCzALPGrJSP0Tj97m-Ony/s400/HP+Business+of+Hacking+Cover.jpg" width="312" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small; text-align: left;"><a href="http://www8.hp.com/us/en/software-solutions/hacking-report/index.html?jumpid=va_gpnq3t2xdw">http://www8.hp.com/us/en/software-solutions/hacking-report/index.html?jumpid=va_gpnq3t2xdw</a> </span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
This document is an easy and compelling read for Chief Executive Officers, Chief Information Officers, Boards of Directors, Risk Analysts and cyber security students. The article does an excellent job giving a straight-forward discussion regarding the "reality" of the cybercrime community and their "business models."</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The HP whitepaper does a nice job clearly identifying "who" the "Bad Guys" are with a simple chart (shown below):</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEyuIX9PV0sPPP_o7vqltGe_xfW3gPnetxPd6Ph7Ghp7D8lgP4g8C_nmeeMSccxG9YEdsgcDVVrQiMQc6pLmVGsOcNdd9sQmOgSkbZHJb7Mx_CC7Uq2yoUn7KvGTTtTMkkqOV4ITxeivSS/s1600/HP+Bad+Guys.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEyuIX9PV0sPPP_o7vqltGe_xfW3gPnetxPd6Ph7Ghp7D8lgP4g8C_nmeeMSccxG9YEdsgcDVVrQiMQc6pLmVGsOcNdd9sQmOgSkbZHJb7Mx_CC7Uq2yoUn7KvGTTtTMkkqOV4ITxeivSS/s400/HP+Bad+Guys.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This is extremely helpful to those trying to understand cybercrime and cyber "hacking" because it shows there are different types of hackers with different motivations and capabilities.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The article almost reads like a Gartner report with a "Magic Quadrant" depiction of where the attackers are working relative to Payout and Effort/Risk to their "business." The quadrant analysis is shown below:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNw-EPJWzDZJ15yXKodljLcn6VmGhmXdw0TQHt2EE0hm4466WfyEhsHKvi_ZogsgUx5iCobFzw36jDvho193boSvNDnRpH3BID-iv3PI0v096gtjdkrCnK3LlE0SMxBg531RqgTAzYkCMA/s1600/HP+Business+of+Hacking+Quadrant.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNw-EPJWzDZJ15yXKodljLcn6VmGhmXdw0TQHt2EE0hm4466WfyEhsHKvi_ZogsgUx5iCobFzw36jDvho193boSvNDnRpH3BID-iv3PI0v096gtjdkrCnK3LlE0SMxBg531RqgTAzYkCMA/s400/HP+Business+of+Hacking+Quadrant.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Although the report doesn't go into details on how organized cyber crime is used by Nation-States, analysis has shown that some countries may be using organized cyber crime to do their cyber attacks thus giving the Nation-State the ability to offer "plausible deniability." <br />
<br />
Finally, this report will reinforce to the CEO's, et al that the cyber crime business is just that...a business...where the hackers want to maximize profit and minimize risk...where the hackers need to do research and development and they need to have a finance minister to run their economic shop.<br />
<br />
On a parenthetical note, in 2006 I wrote <a href="http://www.amazon.com/dp/0379012812/ref=rdr_ext_tmb">Chapter 1A, "Cybercrime's Impact on Information Security," in <b><i>Cybercrime & Security</i> </b>edited by Pauline C. Reich</a>. In my article I discussed cybercrime as a business -- albeit nefarious - but with a CEO, COO, HR manager, VP of R&D, CFO, etc. and that their motives are focused on "....profit maximization and risk management..." <br />
<br />
<b>Key Take-Aways</b><br />
<b><br /></b>
This white paper from HP is a great educational piece to get to your Board of Directors, CEO, COO, CFO, CIO and cyber security students who need to realize that one way to hamper cyber crime is to alter the criminal's business operations .... raise their expenses and increase their risk.<br />
<br />
<div style="text-align: center;">
###</div>
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-66015828499338065852016-04-14T20:46:00.000-07:002016-04-14T20:46:07.352-07:00WEBINAR: Climate-Resilient Infrastructure -- 28 April 2016<div dir="ltr" style="text-align: left;" trbidi="on">
Greetings!<br />
<br />
I've been rather swamped with a major project for the past few months so my Blog has been pretty quiet. Anyway, I want to pass along this one Webinar my fellow infrastructure colleagues may be interested.<br />
<br />
<b>WEBINAR: NEW APPROACHES TO CLIMATE-RESILIENT INFRASTRUCTURE</b><br />
<b><br /></b>
<b>LINK: <a href="http://uweoconnect.extn.washington.edu/public_mipm/">http://uweoconnect.extn.washington.edu/public_mipm/</a> </b><br />
<b><br /></b>
<b>WHEN: THURSDAY, APRIL 28, 2016, 11:00 AM TO NOON PACIFIC DAYLIGHT TIME (GMT-7)</b><br />
<b><br /></b>
This FREE webinar will feature a panel of experts on infrastructure planning and climate change discussing new approaches to planning climate-resilient infrastructure. The topics to be covered include:<br />
<br />
<ul style="text-align: left;">
<li>How climate change affects infrastructure<br /></li>
<li>How planners can respond to climate change by planning integrated and resilient infrastructure<br /></li>
<li>Principles for re-thinking how we invest in infrastructure<br /></li>
<li>How US Federal Agencies are adapting this approach to their grants and disaster relief programs, including information on the Federal Emergency Management Agency (FEMA) National Resilience Challenge and the US Housing and Urban Development (HUD) Disaster Resilience Competition</li>
</ul>
<div>
<b>Hosts:<br /></b></div>
<div>
Ms. Jill Sterrett, FAICP, Affiliate Instructor, Department of Urban Design and Planning, University of Washington, Seattle, WA USA</div>
<div>
<br /></div>
<div>
Mr. Rhys Roth, Faculty and Director of the Center for Sustainable Infrastructure, Evergreen State College, Olympia, WA USA</div>
<div>
<br /></div>
<div>
Mr. Steve Moddemeyer, Principal, CollinsWoerman Architects, Seattle, WA USA</div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-60980501422561136512016-02-11T20:41:00.001-08:002016-02-11T20:41:53.350-08:00A View of the World's Infrastructure -- PBS Video "Humanity from Space"<div dir="ltr" style="text-align: left;" trbidi="on">
I have been a student of global infrastructure for many years and even completed my <a href="http://www.infrastructure-management.uw.edu/">Masters in Infrastructure Planning and Management</a> from the <a href="http://www.uw.edu/">University of Washington, Seattle, USA</a> this past year. This week I happened to view an absolutely fascinating video on the US Public Broadcasting System (PBS) called <b><i>Humanity from Space</i></b>.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS0OPh6V5DkmZnY1cdB9M-Blmxg_aoCO627YhvKccnIfUAgsGkUg4F_do0f68_noqYGHy0wp0mYy5Ae1pUbSAb10D8-bfAaCoizk0EyMl3gHR3MJZegtg66dhYb1NXzX7Zm5SPjRtePWaC/s1600/Humanity+from+Space.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS0OPh6V5DkmZnY1cdB9M-Blmxg_aoCO627YhvKccnIfUAgsGkUg4F_do0f68_noqYGHy0wp0mYy5Ae1pUbSAb10D8-bfAaCoizk0EyMl3gHR3MJZegtg66dhYb1NXzX7Zm5SPjRtePWaC/s400/Humanity+from+Space.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">http://www.pbs.org/program/humanity-from-space/ </td></tr>
</tbody></table>
This video offers a terrific view of global infrastructure expansion and development from the early days of mankind up to the future views of expanded renewable energy, communications networks, highways, transportation, etc.<br />
<br />
From the PBS page, here is a broader description of the video:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4nvp431u1BEdKz4fCl-6TJDQ603fbz-4NokjKmVOzTlLycuq2ChEieCURE8vwpkcs-K1Pp_IiRqIraHrCzQeDYfbn4u_jJp1lY4xNDRfmo_FVJ_0biBJlB1ezFAiJoXI_2eSH-tbhhkvN/s1600/Humanity+from+Space+2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="432" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4nvp431u1BEdKz4fCl-6TJDQ603fbz-4NokjKmVOzTlLycuq2ChEieCURE8vwpkcs-K1Pp_IiRqIraHrCzQeDYfbn4u_jJp1lY4xNDRfmo_FVJ_0biBJlB1ezFAiJoXI_2eSH-tbhhkvN/s640/Humanity+from+Space+2.jpg" width="640" /></a></div>
<br />
<br />
You can view the entire video at: <a href="http://www.pbs.org/video/2365530573/">http://www.pbs.org/video/2365530573/</a><br />
<br />
You <b><u><i>may </i></u></b>also be able to locate it on other alternative options such as Roku, Netflix, Amazon Prime.<br />
<br />
Anyway, take time to view this phenomenal film....the graphics are thought provoking and the music is from one of my favorite composers, <a href="http://www.thomasbergersen.com/">Thomas Bergersen</a>/<a href="http://www.twostepsfromhell.com/">Two Steps from Hell</a>.<br />
<br />
Cheers!<br />
<br />
<div style="text-align: center;">
###</div>
<br />
<br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-50636614621245897222016-02-08T11:54:00.001-08:002016-02-08T11:54:17.632-08:00ONE OF FEW IN THE WORLD – MASTERS IN INFRASTRUCTURE PLANNING AND MANAGEMENT<div dir="ltr" style="text-align: left;" trbidi="on">
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
As I began writing this blog post the <b><a href="http://www.weforum.org/">World Economic Forum</a> (WEF)</b> annual meeting in Davos, Switzerland is in progress. In conjunction with this major meeting the WEF also produces its <b><i>Global Risks Report. </i></b>One section of the report – shown below – is entitled “Global Risks of Highest Concern for Doing Business.”<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6XuKFopzmyHn2AAhrLAFWCjPIovp6oRDE28INuTenxvSTAglCjfn_JtHDA83iN79RQjnBDlciQrb-MOi0AwFF1FUdSqbJPjUpxUL6GIT0VeuYaEESHfp22Jxz2xiF-azS1Pb7DqJDzYrv/s1600/MIPM+Blog+1+-+WEF.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6XuKFopzmyHn2AAhrLAFWCjPIovp6oRDE28INuTenxvSTAglCjfn_JtHDA83iN79RQjnBDlciQrb-MOi0AwFF1FUdSqbJPjUpxUL6GIT0VeuYaEESHfp22Jxz2xiF-azS1Pb7DqJDzYrv/s400/MIPM+Blog+1+-+WEF.png" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="page-break-after: avoid;">
<!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1" o:spid="_x0000_i1026" type="#_x0000_t75"
style='width:468pt;height:249.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:\Users\ERNIE_~1\AppData\Local\Temp\msohtmlclip1\01\clip_image001.png"
o:title="SNAGHTML380ac096"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div align="center" class="MsoCaption" style="text-align: center;">
Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC <span style='mso-element:
field-separator'></span><![endif]-->1<!--[if supportFields]><span
style='mso-no-proof:yes'><span style='mso-element:field-end'></span></span><![endif]--> <a href="http://reports.weforum.org/global-risks-2016/eos/">http://reports.weforum.org/global-risks-2016/eos/</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
As you look at this list, the eighth most important risk of concern is “Failure of Critical Infrastructure.” <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Wow, that is very disconcerting and it is important that critical infrastructure issues be addressed to help mitigate and alleviate these risks. But even as you think about it, global infrastructure is strained even with issues #1 through #7 (and #9, of course).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
But how?<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<h2 style="text-align: left;">
<b>Masters of Infrastructure Planning and Management</b></h2>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
In August 2015 I successfully completed the Master’s Degree in Infrastructure Planning and Management at the University of Washington, Seattle, Washington USA. This program – entirely online, so you can take classes literally around the globe in various time zones – provided fantastic exposure to me as an infrastructure security professional on ways to manage and protect vital infrastructure systems from natural and man made threats. The program curriculum is included below.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsSbXJsbCfM1xxFWCc3ToM0FooFDnEb7mSBV6phs4xMC847Fyz0AOIMjU2JEu-eHDgOt0OaQLFHHcDQa1pPRMuyESWqcoy9NsJ05Xu68k8zmoES5zx0vYlstMRlKSKc7XY_Lj7vsd3zoCQ/s1600/MIPM+Blog+2+-+Curriculum.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsSbXJsbCfM1xxFWCc3ToM0FooFDnEb7mSBV6phs4xMC847Fyz0AOIMjU2JEu-eHDgOt0OaQLFHHcDQa1pPRMuyESWqcoy9NsJ05Xu68k8zmoES5zx0vYlstMRlKSKc7XY_Lj7vsd3zoCQ/s640/MIPM+Blog+2+-+Curriculum.png" width="440" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div align="center" class="MsoNormal" style="page-break-after: avoid; text-align: center;">
<!--[if gte vml 1]><v:shape id="Picture_x0020_2"
o:spid="_x0000_i1025" type="#_x0000_t75" style='width:324pt;height:471pt;
visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:\Users\ERNIE_~1\AppData\Local\Temp\msohtmlclip1\01\clip_image003.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div align="center" class="MsoCaption" style="text-align: center;">
Figure <!--[if supportFields]><span
style='mso-element:field-begin'></span><span
style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC <span style='mso-element:
field-separator'></span><![endif]-->2<!--[if supportFields]><span
style='mso-no-proof:yes'><span style='mso-element:field-end'></span></span><![endif]--> http://www.infrastructure-management.uw.edu/overview/courses/<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
And as you can observe, the courses train the students on such fundamental topics as risk management, geographic information systems (GIS), and strategic planning. The core courses include “soup to nuts” reviews of different infrastructure sectors such as energy, water, food, transportation, emergency management and public health.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
At the end of the two-year program I believe you can be an adept contributor to critical infrastructure planning and management at the local, regional, national or international level.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
By the way, the instructors are also accomplished, practical professionals in their areas. For instance the infrastructure finance professor studied under Nobel Laureates at the University of California. The instructors teaching the energy courses work for the regional utility in Seattle, and the public health professor is a physician with almost 40 year’s experience in international public health management.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Overall, the instructors “…really know their stuff…” from a practical, hand-on perspective and after a quarter with each one of them you have not only learned the details of the sector but you also know where to look for more information – a key value to me as a critical infrastructure protection professional.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<h2 style="text-align: left;">
<b>Graduates and their Stories</b></h2>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
Some of my fellow classmates have done very well with their MIPM credentials. One grad continued in the Business Continuity/Planning space for a major health insurance provider and is now the Global Emergency Preparedness manager for a major, US West Coast university. Another classmate continues as a Lieutenant Colonel in the Army with expanded awareness of global infrastructure issues. A third classmate is in a local city public utility doing planning work.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>How Can I Get More Information? Where Do I Sign Up?<o:p></o:p></b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
If you want more details I’d first suggest you visit the <a href="http://www.infrastructure-management.uw.edu/">University of Washington Master in Infrastructure Planning and Management</a> web page.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Be sure to review the <a href="http://www.infrastructure-management.uw.edu/admissions/">Admissions</a> requirements and the <a href="http://www.infrastructure-management.uw.edu/costs/">Costs/Financial Aid</a> page. Overall, you’ll see that the entrance requirements are certainly those of a Top Tier University but within reason for the working professional. Some of my classmates had their tuition covered by the GI Bill and my company reimbursed me for my courses.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Of note, each cohort starts at the end of September each year and the <span style="background-color: yellow;"><b>Application Deadline is June 1<sup>st</sup></b>.</span><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<h2 style="text-align: left;">
<b>Unique Training – Unique Opportunity</b></h2>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
As the faculty and students can attest, this is one of the very few programs in the world offering Masters-level training on infrastructure planning and management. And, it is ONLINE so you don’t need to attend classes and – as a working professional – I can tell you that class assignments can be completed even if you are on the road multiple time zones away from Seattle.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
So, here are the key Links…..and remember, the Application Deadline is June 1<sup>st</sup>.<o:p></o:p></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><b><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]-->PROGRAM OVERVIEW: <a href="http://www.infrastructure-management.uw.edu/">http://www.infrastructure-management.uw.edu/</a> <o:p></o:p></b></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<b><br /></b></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><b><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]-->CURRICULUM: <a href="http://www.infrastructure-management.uw.edu/overview/courses/">http://www.infrastructure-management.uw.edu/overview/courses/</a> <o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<b><br /></b></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><b><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]-->FACULTY: <a href="http://www.infrastructure-management.uw.edu/overview/faculty/">http://www.infrastructure-management.uw.edu/overview/faculty/</a> <o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<b><br /></b></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><b><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]-->ADMISSIONS: <a href="http://www.infrastructure-management.uw.edu/admissions/">http://www.infrastructure-management.uw.edu/admissions/</a> <o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<b><br /></b></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><b><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]-->FINANCES: <a href="http://www.infrastructure-management.uw.edu/costs/">http://www.infrastructure-management.uw.edu/costs/</a> <o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<b><br /></b></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><b><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;"> </span></span><!--[endif]-->ONLINE LEARNING: <a href="http://www.infrastructure-management.uw.edu/overview/onlinelearning/">http://www.infrastructure-management.uw.edu/overview/onlinelearning/</a></b> <o:p></o:p></div>
<br />
<div align="center" class="MsoNormal" style="text-align: center;">
###<o:p></o:p></div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-89352647680317509362016-02-02T10:49:00.000-08:002016-02-02T10:49:18.027-08:00Plan of Attack: Studying for the ASIS Physical Security Professional (PSP) Certification Test<div dir="ltr" style="text-align: left;" trbidi="on">
I recently sat for the <a href="http://www.asisonline.org/">ASIS </a><a href="https://www.asisonline.org/Certification/Board-Certifications/PSP/Pages/default.aspx">Physical Security Professional (PSP) </a>certification exam. The test is about 125 questions and you are allotted about three hours to complete the test at a testing facility (e.g., Prometrics).<br />
<br />
This Blog is intended to offer a Plan of Attack on how to study for the exam; however, according to the rules of engagement, I am not permitted to offer example/actual questions, answers, etc. Instead, this Blog is really a "How To" prepare for the test using a process I developed after searching the Internet and reviewing any ASIS resources that could offer ideas.<br />
<br />
Be sure you take a look at the <a href="https://my.asisonline.org/Lists/AsisDownloads/ASIS_Certification_Handbook.pdf">ASIS Board Certification Handbook</a> as you prepare for this journey.<br />
<br />
<h2 style="text-align: left;">
<b>STEP 1: ASSEMBLE ALL RESOURCES</b></h2>
<b><br /></b>
Collect/assemble all your resources to study for the test. The first set of resources is listed on the ASIS site <a href="https://www.asisonline.org/ASIS-Store/Products/Pages/PSP-Reference-Set.aspx?cart=a47b6edbf7e147f691c90d741bddb82a">here</a>.<br />
<br />
These documents include:<br />
<br />
<ul style="text-align: left;">
<li><a href="https://www.asisonline.org/Standards-Guidelines/Guidelines/published/Pages/Facilities-Physical-Security-Measures-Guideline.aspx"><i><b>ASIS Facilities Physical Security Measures Guideline</b></i></a><br /></li>
<li><a href="https://www.asisonline.org/Standards-Guidelines/Guidelines/Published/Pages/Business-Continuity-Guideline_A-Practical-Approach-for-Emergency-Preparedness_-Crisis-Management_and-Disaster-Recovery.aspx"><b><i>ASIS Business Continuity Guideline</i></b></a><br /></li>
<li><a href="https://www.asisonline.org/ASIS-Store/Products/Pages/Design-and-Evaluation-of-Physical-Protection-Systems-2nd-Ed.aspx"><b><i>Design and Evaluation of Physical Protection Systems</i></b>, 2nd Edition, Mary Lynn Garcia</a><br /></li>
<li><a href="https://www.asisonline.org/ASIS-Store/Products/Pages/Effective-Physical-Security-4th-Edition.aspx"><b><i>Effective Physical Security</i></b>, 4th Ed, Lawrence J. Fennelly (Editor)</a><br /></li>
<li><a href="https://www.asisonline.org/ASIS-Store/Products/Pages/Implementing-Physical-Protection-Systems-A-Practical-Guide-2nd-Edition.aspx"><b><i>Implementing Physical Protection Systems: A Practical Guide</i></b>, 2nd Edition, David G. Patterson</a><br /></li>
<li><a href="https://www.asisonline.org/ASIS-Store/Products/Pages/Introduction-to-Security-9th-Edition.aspx"><i style="font-weight: bold;">Introduction to Security</i>, 9th Edition, Robert J. Fischer, et al</a><br /></li>
<li><a href="https://www.asisonline.org/ASIS-Store/Products/Pages/PSP-Reference-(Excerpts-from-the-POA)-2nd-Ed.aspx"><i style="font-weight: bold;">PSP Reference (Excerpts from the Protection of Assets (POA))</i>, 2nd Edition</a> (See * Below)<br /></li>
<li><a href="https://www.asisonline.org/ASIS-Store/Products/Pages/Risk-Analysis-and-the-Security-Survey-4th-Edition.aspx"><i style="font-weight: bold;">Risk Analysis and the Security Survey</i>, 4th Edition, James F. Broder, Eugene Tucker</a></li>
</ul>
* One book not listed but is <u style="font-style: italic; font-weight: bold;">HIGHLY RECOMMENDED</u> is the ASIS book, <i style="font-weight: bold;"><a href="https://poa.asisonline.org/Purchase-Protection-of-Assets/Books/Pages/Protection-of-Assets-Physical-Security.aspx?cart=a47b6edbf7e147f691c90d741bddb82a">Protection of Assets - Physical Security</a>. </i>Yes, the PSP Reference does contain some repetitive information from the actual POA -- and you need the PSP Reference due to the chapter on high rise security -- the actual POA is and imperative read as you prepare for the test.<div>
<br /></div>
<h2 style="text-align: left;">
<b>STEP 2: OUTLINE THE ASIS GUIDELINES</b></h2>
<div>
<b><br /></b></div>
<div>
This first step will help you to gain a broad view of where your studying will take you. By simply reading the Guidelines and outlining the various sections -- even just handwriting down the different sections/subsections in order -- you'll get a chance to see the flow of the organization of what is included in Physical Security.</div>
<div>
<br /></div>
<div>
In my case I did my outline in Microsoft PowerPoint with the slides highlighting the key concepts for each section/subsection. (NOTE: These outline PPT decks will be useful for review).</div>
<div>
<br /></div>
<div>
From these Guidelines I'd suggest you <b><u><i><span style="background-color: yellow;">memorize</span> </i></u></b>the Business Continuity process flow first shown on page 10 of the <i style="font-weight: bold;"><a href="https://www.asisonline.org/Standards-Guidelines/Guidelines/Published/Pages/Business-Continuity-Guideline_A-Practical-Approach-for-Emergency-Preparedness_-Crisis-Management_and-Disaster-Recovery.aspx">ASIS Business Continuity Guideline</a> </i>and shown below:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHPSIh0bwZ_WjGYgBXRY6HpYgYKQji_Vp4dri6DRCRNTzbrnvGz7H7fwGqTlTfRvplOXHJigOjKWGDGQEw19vMAGOiSUVK7hVq21WyRSdsdIjd4Xma8nWwl9ovQhsg_fC0fFuOgudfCTCh/s1600/BCP+Process+Flow.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHPSIh0bwZ_WjGYgBXRY6HpYgYKQji_Vp4dri6DRCRNTzbrnvGz7H7fwGqTlTfRvplOXHJigOjKWGDGQEw19vMAGOiSUVK7hVq21WyRSdsdIjd4Xma8nWwl9ovQhsg_fC0fFuOgudfCTCh/s400/BCP+Process+Flow.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">BCP Process flow</td></tr>
</tbody></table>
<div>
<br /></div>
<h2 style="text-align: left;">
<b>STEP 3: START READING, OUTLINING, REVIEWING</b></h2>
<div>
<b><br /></b></div>
<div>
This is now where the real work starts. But, with the background you already have with the above outlining efforts and your own professional experience, this will be time-consuming but not daunting.</div>
<div>
<br /></div>
<div>
There is no right/wrong way to proceed but I essentially did the following steps on my reading:</div>
<div>
<br /></div>
<div style="text-align: center;">
<b>NOTE: </b></div>
<div style="text-align: center;">
<b>If you have little or no practical field experience in the Physical Security space, take time to read and outline <a href="https://www.asisonline.org/ASIS-Store/Products/Pages/Introduction-to-Security-9th-Edition.aspx"><i>Introduction to Security</i>,</a> This is the first thing you'll need to do to get a solid foundation for your studying. Otherwise, if you have considerable physical and cyber security experience you can "jump into the pool" and start with the reading/studying list below:</b></div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li>First: Read the <i style="font-weight: bold;"><a href="https://poa.asisonline.org/Purchase-Protection-of-Assets/Books/Pages/Protection-of-Assets-Physical-Security.aspx?cart=a47b6edbf7e147f691c90d741bddb82a">Protection of Assets - Physical Security</a></i> cover to cover with a pen and highlighter in hand.<br /></li>
<li>Second: Read the <a href="https://www.asisonline.org/ASIS-Store/Products/Pages/PSP-Reference-(Excerpts-from-the-POA)-2nd-Ed.aspx"><i style="font-weight: bold;">PSP Reference (Excerpts from the Protection of Assets (POA))</i>, 2nd Edition</a> focused on Part 3 -- High Rise Structures. (The other three Parts are repeats from the original POA book I just read).<br /></li>
<li>Third: Read Mary Lynn Garcia's <a href="https://www.asisonline.org/ASIS-Store/Products/Pages/Design-and-Evaluation-of-Physical-Protection-Systems-2nd-Ed.aspx"><b><i>Design and Evaluation of Physical Protection Systems</i></b>, 2nd Edition,</a> This is a fantastic read and compliments the two books and Guidelines you've read above. Her book structure follows the figure below, "Design and Evaluation Process for Physical Protection Systems (PPS)." Take time to <span style="background-color: yellow;"><u style="font-style: italic; font-weight: bold;">memorize</u> </span>this chart and know it cold.<br /><br />Also, at the end of each one of her chapters she included a few paragraphs called "Security Principles." These are very helpful to read, know, understand -- and if you don't restudy the chapter.<br /></li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg_JVnC9WfFSlVLckpOXAqxKPBxGnUQlA8pZQHT_pcJeWejndfqSONhRvG96xETiFgh2_gaEhoBEWa-xsubCeG6M3jnuD8Z3OdpqWU_n-ajU743KC5jsfGehwU0DRWGQD063AYK3YyI7xY/s1600/Design+PPS+-+Garcia.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg_JVnC9WfFSlVLckpOXAqxKPBxGnUQlA8pZQHT_pcJeWejndfqSONhRvG96xETiFgh2_gaEhoBEWa-xsubCeG6M3jnuD8Z3OdpqWU_n-ajU743KC5jsfGehwU0DRWGQD063AYK3YyI7xY/s400/Design+PPS+-+Garcia.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Page 4, <i>Design and Evaluation of Physical Protection Systems</i></td></tr>
</tbody></table>
<div>
<br /></div>
<ul style="text-align: left;">
<li>Fourth: Read and study <a href="https://www.asisonline.org/ASIS-Store/Products/Pages/Implementing-Physical-Protection-Systems-A-Practical-Guide-2nd-Edition.aspx"><b><i>Implementing Physical Protection Systems: A Practical Guide</i></b>,</a> Be sure you understand the six phases of PPS life cycle planning and what goes into each one of the phases. Overall this is a very helpful book in your future life as a security project manager and the words of wisdom offered by David Peterson are very helpful.<br /></li>
<li>Fifth: Read and study <a href="https://www.asisonline.org/ASIS-Store/Products/Pages/Effective-Physical-Security-4th-Edition.aspx"><b><i>Effective Physical Security</i></b>,</a> Each chapter offers a wealth of information on various technical topics you've already learned in the POA above and in Mary Lynn Garcia's work. This book is also great for quick reference when you need a few more details when studying on such topics as locks, lighting, etc.<br /></li>
<li>Sixth: Read the remaining references in any order. </li>
</ul>
<h2 style="text-align: left;">
<b>STEP 4: START STUDYING, MEMORIZING, LEARNING, REINFORCING</b></h2>
</div>
<div>
<b><br /></b></div>
<div>
Now comes the truly hard work. Each of us have our own way of learning, but below I'll offer my own approach.</div>
<div>
<br /></div>
<div>
Each one of the books above I outlined the chapters using PowerPoint -- the same way I outlined the Guidelines.</div>
<div>
<br /></div>
<div>
Some people prefer to use Flash Cards; however, a wonderful and FREE system you can use is an online application called <u style="font-style: italic; font-weight: bold;"><a href="https://quizlet.com/">Quizlet</a></u>. Be sure to set up a FREE account and then conduct a search for any Quizes prepared for the PSP. I located about four and also built a few myself -- which is great! </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQmLsB5cfWQOSV2AASuQRVjdr0CtXm_L7fhjPc9GyF5sCe-bZwxZXI6rEJ9qkTrrn45pSOY4clyJUrA9XyKllagZ3Xv2Wa6d5B8Wp2czEgxvFyquftWhi9OOayP7F8Tl9CprVdQKQ7P7F2/s1600/Quizlet.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQmLsB5cfWQOSV2AASuQRVjdr0CtXm_L7fhjPc9GyF5sCe-bZwxZXI6rEJ9qkTrrn45pSOY4clyJUrA9XyKllagZ3Xv2Wa6d5B8Wp2czEgxvFyquftWhi9OOayP7F8Tl9CprVdQKQ7P7F2/s640/Quizlet.jpg" width="640" /></a></div>
<div>
</div>
<div>
<br /></div>
<div>
You can use Quizlet to display Flashcards, develop tests (multiple choice, fill in the blank, match) and even play games using "Scatter" and "Gravity." </div>
<div>
<br /></div>
<div>
Quizlet really helped me with Flashcard preparation (yes, you can print them) and took the boredom out of the review process.</div>
<div>
<br /></div>
<h2 style="text-align: left;">
<b>WHAT ABOUT OTHER PSP TEST PREPARATION OPPORTUNITIES?</b></h2>
<div>
<b><br /></b></div>
<div>
Be sure to check the ASIS website and your own local chapter to see if they are offering any PSP study groups. Unfortunately, I was not able to participate in any.</div>
<div>
<br /></div>
<h2 style="text-align: left;">
<b>GENERAL GUIDELINES</b></h2>
<div>
<br /></div>
<div>
Here are some general guidelines to consider when preparing for the test:</div>
<div>
<br /></div>
<div>
1) Don't CRAM and expect to pass the test. There is too much information.<br /><br />2) Draw every diagram you see at least once.<br /></div>
<div>
3) Prepare a plan (like the above) and build upon what you are learning. For instance, when reading a specific topic in the <i style="font-weight: bold;"><a href="https://poa.asisonline.org/Purchase-Protection-of-Assets/Books/Pages/Protection-of-Assets-Physical-Security.aspx?cart=a47b6edbf7e147f691c90d741bddb82a">Protection of Assets - Physical Security</a></i> -- e.g., Lighting -- then also read the section on Lighting in the <a href="https://www.asisonline.org/ASIS-Store/Products/Pages/Effective-Physical-Security-4th-Edition.aspx"><b><i>Effective Physical Security</i></b>,</a> to complement and augment what you just learned.</div>
<div>
<br /></div>
<div>
4) Know your terms but also know the contents of the practical discussions in Garcia's and Fennelly's books -- as well as both POA references.</div>
<div>
<br /></div>
<div>
5) Get a good night's rest the night before the exam. Review your outlines the day of the test and go for it!</div>
<div>
<br /></div>
<div style="text-align: center;">
<b>GOOD LUCK!!</b></div>
<div>
<b><br /></b></div>
<div>
<b><br /></b></div>
<div>
<br /></div>
<div>
<br /><div>
<i style="font-weight: bold;"><br /></i></div>
<div>
<i style="font-weight: bold;"><br /></i></div>
</div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-88245750868114360742016-01-27T14:11:00.000-08:002016-01-27T14:11:05.989-08:00CRS Report - Vulnerability of Concentrated Critical Infrastructure<div dir="ltr" style="text-align: left;" trbidi="on">
I was recently writing an article for the <span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;"><a href="http://www.hazar.org/"><b>Hazar Strateji Enstitüsü</b> <b>/ Caspian Strategy Institute</b> </a></span><b style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;"><a href="http://www.hazar.org/">(HASEN)</a> </b><span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;">on the subject of physical security of </span>critical<span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;"> electric infrastructure. During my research I came across a very interesting -- and I believe timely -- Congressional Research Service (CRS) Report entitled <i style="font-weight: bold;"><a href="https://www.fas.org/sgp/crs/homesec/RL33206.pdf">Vulnerability of Concentrated Critical Infrastructure: Background and Policy Options</a></i>. The report was prepared by Paul W. Parfomak and updated on September 12, 2008. </span><br />
<span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;"><br /></span>
<span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;">(Hat tip to the <a href="http://www.fas.org/">Federation of American Scientists</a> for posting this document in their publically available CRS library!)</span><br />
<span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisqnjiqgtNw7h9G5Y9wGnaW6VGtGLJRoxnnp5KfOVMwAL5Xr4dhf0ntQAT0N1MJiBRHFgyptSEq-KrwYSsXEvvlDJie5efn6Gnfskx_p_F_jPbbdIj2nR1n1_Ln-sKN3QjlKxUfrqbZKmg/s1600/CRS+CIKR+Concentration.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisqnjiqgtNw7h9G5Y9wGnaW6VGtGLJRoxnnp5KfOVMwAL5Xr4dhf0ntQAT0N1MJiBRHFgyptSEq-KrwYSsXEvvlDJie5efn6Gnfskx_p_F_jPbbdIj2nR1n1_Ln-sKN3QjlKxUfrqbZKmg/s400/CRS+CIKR+Concentration.jpg" width="312" /></a></div>
<span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;"><br /></span>
<span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;"><br /></span>
<span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;">I found this report to be an exceptional analysis of the vulnerabilities posed to the US with critical infrastructure concentrated in geographic areas. Such concentration increases the vulnerability to events like natural disasters, epidemics, certain kinds of terrorist attacks, etc.</span><br />
<span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;"><br /></span>
<span style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19.5px;">The report defines "Geographic Concentration" of critical infrastructure as:</span><br />
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<b><i>"...the physical location of critical assets in sufficient proximity to each other that they are vulnerable to disruption by the same, or successive, regional events."</i></b></div>
<div style="text-align: center;">
<b><i><br /></i></b></div>
<div style="text-align: left;">
To give the reader a sense of the degree of geographic concentration (in 2008) here is an interesting list:</div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li><b><b>Energy (Refining) </b><span style="font-weight: normal;">-- Approximately 43% of total US oil refining capacity is clustered along the Texas and Louisiana coasts</span></b></li>
</ul>
<ul style="text-align: left;">
<li><b><span style="font-weight: normal;"><b>Banking and Finance (Securities Market)</b> -- Almost 39% of US securities and options are traded on the floors of the NY and American Stock Exchanges in lower Manhattan<br /></span></b></li>
<li><b>Chemicals (Chlorine) </b>-- Over 38% of US chlorine production is located in coastal Louisiana</li>
</ul>
<ul style="text-align: left;">
<li><b>Transportation (Rail) -- </b>Over 37% of US freight railcars pass through Illinois, primarily around Chicago. Over 27% of freight railcars pass primarily through St. Louis<br /></li>
<li><b>Transportation (Marine Cargo) </b>-- Over 33% of US waterborne container shipments pass through the ports of Long Beach and Los Angeles in Southern California (<b>Note</b>: a major tsunami in Southern California could close the Ports of Long Beach/Los Angeles for two months and cost $60B in economic losses)</li>
</ul>
<br />
<ul style="text-align: left;">
<li><b>Defense Industrial Base (Shipyards)</b> -- Over 31% of US naval shipbuilding and repair capacity is in and around Norfolk, Virginia<br /></li>
<li><b>Agriculture and Food (Livestock) </b>-- Approximately 29% of US hog inventories are in Iowa; 15% in eastern North Carolina</li>
</ul>
<ul style="text-align: left;">
<li><b>Public Health and Healthcare (Pharmaceuticals)</b> -- Approximately 25% of US pharmaceuticals are manufactured in Puerto Rico/San Juan metro area</li>
</ul>
<br />In addition to the sobering numbers above, if you look at the combined geographical area of New York City and Northern New Jersey the US port capacity is 12% and airport capacity is 8%.<div>
<br /></div>
<div>
<b>MARKET INFLUENCES ON GEOGRAPHIC CONCENTRATION</b></div>
<div>
<b><br /></b></div>
<div>
To the casual observer, geographic concentration of US critical infrastructure is nothing new. For example, Chicago and Atlanta evolved from railroad hubs; Louisiana and the Coast of Texas are major players in oil and natural gas because that is where the natural resources are, etc. However, there are some added influences cited by the CRS report. They include:</div>
<div>
<ul style="text-align: left;">
<li><b>Resource Location<br /></b></li>
<li><b>Agglomeration Economies </b>(i.e., spatial concentration itself creates favorable economic environment that supports further or continued concentration<br /></li>
<li><b>Scale Economies</b> (e.g., refineries, ports, etc. are growing larger and larger due to the driver of "economy of scale")<br /></li>
<li><b>Community Preferences </b>(this is more like the concentration of infrastructure in places where the local citizens are not opposed to such facilities)<br /></li>
<li><b>Capital Efficiency</b> (critical infrastructure is located where capital can be efficiently deployed)<br /></li>
</ul>
<div>
<b>FEDERAL POLICIES AND INFRASTRUCTURE CONCENTRATION</b></div>
<div>
<b><br /></b></div>
<div>
Finally, for those who are planners or students of infrastructure planning and management here are some selected Federal policies to discourage geographic concentration:</div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li><b>Prescriptive Siting </b>(e.g., In the early 1940s, the US Government financed a major steel plant in Utah as a precaution against shortages in the Western US in case of a Pacific Coast invasion by the Japanese or closure of the Panama Canal)<br /></li>
<li><b>Economic Incentives<br /></b></li>
<li><b>Environmental Regulation </b>(e.g., Coastal Zone Management Act, Clean Air Act, etc.)<br /></li>
<li><b>Economic Regulation</b></li>
</ul>
<div>
Finally the report highlights policy options to reduce infrastructure vulnerability that can include:</div>
</div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li><b>Eliminating Policies Encouraging Concentration<br /></b></li>
<li><b>Encouraging Geographic Dispersion<br /></b></li>
<li><b>Ensuring Infrastructure Survivability<br /></b></li>
<li><b>Ensuring Infrastructure Recovery Capabilities</b></li>
</ul>
<div>
<b><br /></b></div>
</div>
<div>
<b>CONCLUSIONS</b></div>
<div>
<b><br /></b></div>
<div>
Overall this is an excellent and thought-provoking report on the strengths and vulnerabilities posed by the concentration of infrastructure in the US economy. This document is a useful discussion for students focused on urban planning, critical infrastructure planning and management, and those interested in reducing infrastructure vulnerabilities.</div>
<div>
<br /></div>
<div style="text-align: center;">
<b>###</b></div>
<br /><ul style="text-align: left;"><br /></ul>
<div style="text-align: left;">
</div>
<div>
<br /></div>
<br />
<div style="text-align: left;">
<br /></div>
</div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-91557629447250146502016-01-26T10:32:00.001-08:002016-01-26T10:32:10.916-08:00Seven Strategies to Defend Industrial Control Systems (ICS)<div dir="ltr" style="text-align: left;" trbidi="on">
In December 2015 the <a href="https://www.us-cert.gov/nccic">US National Cybersecurity and Communications Integration Center (NCCIC)</a> -- often referred to as "EN-KICK" -- published a highly readable and brief white paper on <b><a href="https://ics-cert.us-cert.gov/sites/default/files/documents/Seven%20Steps%20to%20Effectively%20Defend%20Industrial%20Control%20Systems_S508C.pdf"><i>Seven Strategies to Defend ICSs</i>.</a> </b><br />
<b><br /></b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi74M0pW-2d6gDYFO2AxFsJB1lgButSVtQtFnzr9KLdHU0jhoB63jIJhQXYdeOYmH_F5yfT9Qr1Y1hLT_dVHPdcBLMld_-A5FsL5hKjgZXrUwr72YsfHrUmInY0AnLioi2vbPyTL8VKnTYY/s1600/7+Strategies.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi74M0pW-2d6gDYFO2AxFsJB1lgButSVtQtFnzr9KLdHU0jhoB63jIJhQXYdeOYmH_F5yfT9Qr1Y1hLT_dVHPdcBLMld_-A5FsL5hKjgZXrUwr72YsfHrUmInY0AnLioi2vbPyTL8VKnTYY/s400/7+Strategies.jpg" width="400" /></a></div>
<b><br /></b>
<br />
This 7-page pdf offers a useful list of seven strategies a company can follow to better protect its industrial control systems.<br />
<br />
Not only do they offer a quick, one or two paragraph description of the actions to be taken, but they also offer quick examples of events that could have been possibly prevented if the advice were followed.<br />
<br />
The Seven Strategies include:<br />
<br />
<ol style="text-align: left;">
<li>Implement Application Whitelisting</li>
<li>Ensure Proper Configuration/Patch Management</li>
<li>Reduce Your Attack Surface Area</li>
<li>Build a Dependable Environment</li>
<li>Manage Authentication</li>
<li>Implement Secure Remote Access</li>
<li>Monitor and Respond</li>
</ol>
<div>
<b>RECOMMENDATION -- SHOW THIS TO YOUR BOARD OF DIRECTORS AND EXECUTIVE MANAGEMENT -- IT IS AN EASY READ AND MAKES A POINT THAT SECURITY OF ICS SYSTEMS NEEDS TO BE IMPLEMENTED.</b></div>
<div>
<b><br /></b></div>
<div style="text-align: center;">
<b>###</b></div>
<br />
<br />
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-76316031271665816232016-01-14T08:37:00.002-08:002016-01-14T08:37:31.876-08:00Status of US Infrastructure - Infographic<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="MsoNormal" style="margin-bottom: 1.5pt; margin-left: 0in; margin-right: 0in; margin-top: 1.5pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">Hat tip to Ms. Chrissy Gomez for passing along a link to a very interesting and in-depth Infographic discussing US infrastructure challenges and the impacts of the Infrastructure Bill.</span></div>
<div class="MsoNormal" style="margin-bottom: 1.5pt; margin-left: 0in; margin-right: 0in; margin-top: 1.5pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 1.5pt; margin-left: 0in; margin-right: 0in; margin-top: 1.5pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">The title of the article is <i style="font-weight: bold;"><a href="http://www.mbacentral.org/infrastructure-business/">The Infrastructure Bill: What it Means for Business</a></i> and an excerpt of the Infographic is attached below. </span></div>
<div class="MsoNormal" style="margin-bottom: 1.5pt; margin-left: 0in; margin-right: 0in; margin-top: 1.5pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 1.5pt; margin-left: 0in; margin-right: 0in; margin-top: 1.5pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">The Infographic does a nice job starting with a summary of the dismal and declining state of US infrastructure and then offers some scenarios of the impacts expected from the December 2015 Congressional Funding of $305B at $61B/year for the next 5 years.</span></div>
<div class="MsoNormal" style="margin-bottom: 1.5pt; margin-left: 0in; margin-right: 0in; margin-top: 1.5pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 1.5pt; margin-left: 0in; margin-right: 0in; margin-top: 1.5pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt;">Take a moment to look over the Infographic at the MBA Central website -- this is great information for those worried about US infrastructure and Infrastructure Planning and Management professionals.</span></div>
<div class="MsoNormal" style="margin-bottom: 1.5pt; margin-left: 0in; margin-right: 0in; margin-top: 1.5pt;">
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUrnEWKFFe-S_Nf5RFIfBfZ2RjuiJ7N5G8L19gpFs3yWFMcxWhTwiHAdv5RZLkFZiughFRGSPc59MOXD9x3Lj4TpAozjyioE-pCl_HsMKOMWKHztPouNRWWycX71kG9r0niUmp-IZv0E5j/s1600/Infrastructure.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUrnEWKFFe-S_Nf5RFIfBfZ2RjuiJ7N5G8L19gpFs3yWFMcxWhTwiHAdv5RZLkFZiughFRGSPc59MOXD9x3Lj4TpAozjyioE-pCl_HsMKOMWKHztPouNRWWycX71kG9r0niUmp-IZv0E5j/s400/Infrastructure.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.mbacentral.org/infrastructure-business/" style="font-family: Arial, sans-serif; font-size: 13.3333px; text-align: left;">http://www.mbacentral.org/infrastructure-business/</a></td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-17341018777559736932016-01-11T09:34:00.003-08:002016-01-11T09:34:34.176-08:00CRS Insight - Electric Grid Physical Security: Recent Legislation (US)<div dir="ltr" style="text-align: left;" trbidi="on">
(Another Hat Tip to our friends at the <a href="http://fas.org/">Federation of American Scientists</a> for posting this CRS document!)<br />
<br />
Last week a two-page summary of recent US government legislation focused on electric grid physical security was prepared by Paul W. Parfomak of the Congressional Research Service (CRS).<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr8jlA_eo8aqkWRH_IOsEIji-bMcLV1u87AZDjsXCExaWkbDYMIvnTvUX6YkBx80nawJQVZVlD_UMi-Y2M4fUZjLph-BtHNwBy5i3uHQkQYFKkeyIXtgOWKrBWEGVdbDxgxsiLuzTj2H-h/s1600/CRS+-+IN+-+ElectricGrid.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr8jlA_eo8aqkWRH_IOsEIji-bMcLV1u87AZDjsXCExaWkbDYMIvnTvUX6YkBx80nawJQVZVlD_UMi-Y2M4fUZjLph-BtHNwBy5i3uHQkQYFKkeyIXtgOWKrBWEGVdbDxgxsiLuzTj2H-h/s400/CRS+-+IN+-+ElectricGrid.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://fas.us8.list-manage.com/track/click?u=33c6e6fc9f63792ebcbb7ef9d&id=9c0cfe0fff&e=d0dc8ca93c">http://fas.us8.list-manage.com/track/click?u=33c6e6fc9f63792ebcbb7ef9d&id=9c0cfe0fff&e=d0dc8ca93c</a></td></tr>
</tbody></table>
<br />
The document is a quick read. Besides summarizing the <a href="http://www.ferc.gov/">Federal Energy Regulatory Commission (FERC)</a>) / <a href="http://www.nerc.com/">North American Electric Reliability corporation (NERC)</a> efforts on the <a href="http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-014-2&title=Physical%20Security">CIP-014</a>, Physical Security Reliability Standard, the document summarizes some interesting electric grid physical security elements in the <b>Fixing America's Surface Transportation (FAST) Act - P.L. 114-94 </b>and the <b>Energy Policy Modernization Act of 2015 - S. 2012.</b><br />
<br />
<b><span style="font-size: large;"><a href="http://www.congress.gov/cgi-lis/bdquery/R?d114:FLD002:@1(114+94)">Fixing America's Surface Transportation (FAST) Act - P.L. 114-94</a></span></b><br />
<ul style="text-align: left;">
<li>Became law on December 4, 2015<br /></li>
<li>Contains provisions in two sections to facilitate recovery during electric grid emergencies due to physical damage and other causes.<br /></li>
<li><b>Critical Electric Infrastructure Security (§1104)</b> -- This section provides the Secretary of Energy additional authority to order emergency measures to protect or restore the reliability of critical electric infrastructure or defense critical electric infrastructure during a grid security emergency. The identification of such a grid emergency would be made by written notice from the President with a concurrent notification from Congress. This section also allows a) grid owners to recover prudent costs incurred under such emergency measures through rates regulated by FERC, and b) increases protection of critical electrical infrastructure information.<br /></li>
<li><b>Strategic Transformer Reserve (§1105) -- </b>This section requires the Secretary of Energy -- in consultation with other agencies, the military, and the utility industry -- to submit to Congress within one year a plan for a Strategic Transformer Reserve.</li>
</ul>
<div>
<b><span style="font-size: large;"><a href="http://www.congress.gov/cgi-lis/bdquery/z?d114:S.2012:">Energy Policy Modernization Act of 2015 - S. 2012</a></span></b></div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li>Includes two sections primarily directed at electric grid cybersecurity but with potential impacts on physical asset protection or recovery.<br /></li>
<li><b>Cybersecurity Threats (</b><b>§2001)</b> -- Would provide the Secretary of Energy additional authority to order emergency measures to avert or mitigate a cybersecurity threat upon receiving notice from the President that such a threat exists. This section is also intended to increase protection of critical electrical infrastructure information.<br /></li>
<li><b>Cybersecurity Threats (</b><b>§2002) -- </b>This section would designate the Department of Energy (DOE) as the lead Sector-Specific Agency under <a href="https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil">Presidential Policy Directive 21</a> for energy sector cybersecurity. This bill would require a) DOE to develop a program for modeling and assessing energy infrastructure risks in the face of natural and human-made (physical and cyber) threats, b) DOE to explore alternative structures and funding mechanisms to expand industry participation in the <a href="http://www.nerc.com/pa/CI/ESISAC/Pages/default.aspx">Electricity Information Sharing and Analysis Center (E-ISAC)</a>.</li>
</ul>
<br />
<div>
<br /></div>
<div>
Thanks again to Mr. Parfomak for this <i style="font-weight: bold;">CRS Insight</i>.</div>
<div>
<b><br /></b></div>
<div style="text-align: center;">
<b>###</b></div>
<br />
<br />
<br />
<br />
<br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-31237022383635314942016-01-06T12:02:00.002-08:002016-01-06T12:02:38.998-08:00CRS Report - Data Security & Breach Notification Legislation: Selected Legal Issues<div dir="ltr" style="text-align: left;" trbidi="on">
Thanks to our friends at the <i style="font-weight: bold;"><a href="http://fas.org/">Federation of American Scientists</a>, </i>the recently issued Congressional Research Service (CRS) report entitled <i style="font-weight: bold;"><a href="https://www.fas.org/sgp/crs/misc/R44326.pdf">Data Security and Breach Notification Legislation: Selected Legal Issues</a></i> has been made available.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdvzyE1xiId6KjqOYcjQaR6pucDO6aVRr64bA24v2cKMjvqaiWlB06gvQG5TlvPEyJFqu6jZo9-5yK0u0jf-zLN83I42KpsPXpDo8G0HsM7cBqX5YZJjjSdAzFYtIf3nJ-4Nqgg8tnaN0O/s1600/Data+Breach+CRS.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdvzyE1xiId6KjqOYcjQaR6pucDO6aVRr64bA24v2cKMjvqaiWlB06gvQG5TlvPEyJFqu6jZo9-5yK0u0jf-zLN83I42KpsPXpDo8G0HsM7cBqX5YZJjjSdAzFYtIf3nJ-4Nqgg8tnaN0O/s640/Data+Breach+CRS.jpg" width="504" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://www.fas.org/sgp/crs/misc/R44326.pdf">https://www.fas.org/sgp/crs/misc/R44326.pdf</a> (21 Pages)<br /></td></tr>
</tbody></table>
This is a focused report providing a review of the following:<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li>Proposed Legislation introduced in the 114th Congress on Data Security and Breach Notification</li>
<li>Discussion about State Data Breach Laws (very brief)</li>
<li>Legal Analysis of:</li>
<ul>
<li>Preemption of State Laws, Regulations, and Claims should Federal Law(s) be Passed in this Area</li>
<li>Agency Enforcement of Data Security and Breach Notification Requirements</li>
</ul>
</ul>
<div>
Some interesting takeaways from this report:</div>
<div>
<br /></div>
<div>
1) 47 US States, the District of Columbia, and three US territories (Guam, Puerto Rico, US Virgin Islands) have enacted data security laws.</div>
<div>
<br /></div>
<div>
2) Alabama, New Mexico, and South Dakota have not enacted breach notification laws.</div>
<div>
<br /></div>
<div>
3) Massachusetts has issued regulations requiring persons who own or license personal information about a Massachusetts resident to "...<i>develop, implement, and maintain a comprehensive information security program..." </i>(201 Mass. Code Regs. 17.03(1)) Such a program must be in writing and contain administrative, technical and physical safeguards appropriate to the size and type of business, available resources, and amount of stored data. Businesses must also conduct an annual review of security measures.<br /></div>
<div>
4) (Excerpt on Federal Preemption of State Data Security Laws - Page 15 )</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0rr_yui-Iw3aFRO-ey95CNGYCcG5BH9mhHmRIVa037CPGZe8pXekWtcvJmYPREAyI2KV4fR2R_OcE6BegpR_R_ZE-QXNahKfzqXHs8v6aIp7myyL62EWJqyCiZEQbivdDZ2gSaBISwDOe/s1600/Key+Take+-+Federal+Preemption.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0rr_yui-Iw3aFRO-ey95CNGYCcG5BH9mhHmRIVa037CPGZe8pXekWtcvJmYPREAyI2KV4fR2R_OcE6BegpR_R_ZE-QXNahKfzqXHs8v6aIp7myyL62EWJqyCiZEQbivdDZ2gSaBISwDOe/s640/Key+Take+-+Federal+Preemption.jpg" width="640" /></a></div>
<div>
<br /></div>
5) (Excerpt on Agency Enforcement - Page 19)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-vbLLCTiX-BgVtWA_zCINbsUgGOGOKCbtTfuG5TrS2IfUcfJvjtBLEXJ6Ghrl57eG2ritGCODT4-8i6J2nPcf4zr06IzxjcbymiIGfDTGGAx_xdYUdLiX0DQuCmtGeJ3K5Wc0d-c1IE9v/s1600/Key+Take+-+Agency+Enforcement.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-vbLLCTiX-BgVtWA_zCINbsUgGOGOKCbtTfuG5TrS2IfUcfJvjtBLEXJ6Ghrl57eG2ritGCODT4-8i6J2nPcf4zr06IzxjcbymiIGfDTGGAx_xdYUdLiX0DQuCmtGeJ3K5Wc0d-c1IE9v/s640/Key+Take+-+Agency+Enforcement.jpg" width="640" /></a></div>
<br />
Overall, this is an interesting read on the implications of possible Federal legislation in the domain of data breach laws primarily addressed by US state laws.<br />
<br />
<div style="text-align: center;">
<b>###</b></div>
<br />
<br />
<br /></div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-455985113378997442016-01-04T12:25:00.001-08:002016-01-04T12:25:23.749-08:00Planning for Community Infrastructure Resilience - NIST Guidance<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In 2015 the <a href="http://www.nist.gov/">US National Institute of Standards and Technology (NIST) </a> began a process to produce guidance on approaches to aid communities in improving their resilience to prevailing natural and man made disasters that could affect their jurisdiction. NIST began to produce various guides to offer some processes for community planners to follow including understanding and assessing their current risks as well as develop plans to implement to improve their resilience. Using the "Guides" the community planners can better integrate their resilience efforts into their economic development, zoning, and other local planning activities impacting buildings, public utilities, and other infrastructure systems.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ-N8qVYeCsAbbk3zUMf5DBcJ52ag5W4e7j3_g79FKMQ3QJd8NcPPkKRL3B43S5s0vfv2nZ32DYcsyhbe0pHYUxWjFFptAMr-dPLDIKbGNg9UMpMbudhJ3mY0PwOTL8RhW8mlsIQq2VQ2O/s1600/Community+Resilience.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ-N8qVYeCsAbbk3zUMf5DBcJ52ag5W4e7j3_g79FKMQ3QJd8NcPPkKRL3B43S5s0vfv2nZ32DYcsyhbe0pHYUxWjFFptAMr-dPLDIKbGNg9UMpMbudhJ3mY0PwOTL8RhW8mlsIQq2VQ2O/s400/Community+Resilience.jpg" width="400" /></a></div>
<br />
<br />
Currently there are three NIST Guide documents to be summarized below in this Blog:<br />
<br />
<br />
<ul style="text-align: left;">
<li><a href="http://www.nist.gov/el/resilience/upload/NIST-SP-1190v1.pdf"><i style="font-weight: bold;">Community Resilience Planning Guide for Buildings and Infrastructure Systems Volume 1</i>. </a>(11MB Download, 125 pages, Released October 2015)</li>
<li><a href="http://www.nist.gov/el/resilience/upload/NIST-SP-1190v2.pdf" style="font-style: italic; font-weight: bold;">Community Resilience Planning Guide for Buildings and Infrastructure Systems Volume II</a><b style="font-style: italic;"> </b>(14 MB Download, 273 pages, Released October 2015)</li>
<li><i style="font-weight: bold;"><a href="http://www.nist.gov/manuscript-publication-search.cfm?pub_id=919223">Community Resilience Economic Decision Guide for Buildings and Infrastructure Systems</a> </i>(1 MB Download, 69 pages, Released December 2015)</li>
</ul>
<h2 style="text-align: left;">
Volume 1</h2>
<br />
The first document produced by NIST is <a href="http://www.nist.gov/el/resilience/upload/NIST-SP-1190v1.pdf"><i style="font-weight: bold;">Community Resilience Planning Guide for Buildings and Infrastructure Systems Volume 1</i>. </a> (11MB Download, 125 pages). <span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span style="background-color: white; font-size: 12px; line-height: 19.2px;"><b> </b></span></span>Volume I describes the methodology and has an example illustrating the planning process for the fictional town of Riverbend, USA.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW33Bpm2SgdKmvSiqnrmsM-DT67mmF5i0hiMRZVQtK9RrbjrMCRLR3LZop0_dnoUC_PC527M88j6lslIUgkWy_RXYHYpW_6zdh4BUZU68pNrVj5FMpYVECmIvhUFi_j_gHt5uO9_bBlrrf/s1600/Vol+1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW33Bpm2SgdKmvSiqnrmsM-DT67mmF5i0hiMRZVQtK9RrbjrMCRLR3LZop0_dnoUC_PC527M88j6lslIUgkWy_RXYHYpW_6zdh4BUZU68pNrVj5FMpYVECmIvhUFi_j_gHt5uO9_bBlrrf/s400/Vol+1.jpg" width="308" /></a></div>
<br />
<br />
As part of this methodology, Volume 1 includes a "Six-Step" Process to Planning for Community Resilience." (Shown Below). Although the graphic is offering an elementary project planning structure, the contents and discussion of Volume 1 on how to approach the challenges of assessing and improving the resilience of the community is useful.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz6SnB5ARKn6qPqw8Vd9chhOUsNgBpzwGppKBRqyjp37yYKkBgEEV70cZeDNfOw1f_NAtczKnaXkjamW9x-uWt83Ld4Oq29ZcKYF7Xe9oHLGbmeXwANqQnZaREbKci8cj1buonZ4pHl9Nr/s1600/NIST-SP-1190v1.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz6SnB5ARKn6qPqw8Vd9chhOUsNgBpzwGppKBRqyjp37yYKkBgEEV70cZeDNfOw1f_NAtczKnaXkjamW9x-uWt83Ld4Oq29ZcKYF7Xe9oHLGbmeXwANqQnZaREbKci8cj1buonZ4pHl9Nr/s1600/NIST-SP-1190v1.bmp" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Volume 1 continues to provide the basis for this approach and also ensures that the reader does not fall into the trap of looking exclusively at "THINGS" such as bridges, roads, public works facilities, but instead helps the reader realize that the THINGS are based on and affected by the social aspects. A particularly good graphic showing this "cause and effect" so to speak is below:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxtK8yjTx2QmxyOENX2gz94NsmuNdmth07aaCOzY9Qg2Tgw_Sanakdq4wl16uCK9O7Irz3PzJqLii1nkneuRbLhFGHxfS_hXbSDCAnNPuKa29r5iQfCZCSwtIjaaqUpx1jtoP6OMQoP9Vy/s1600/Communities.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxtK8yjTx2QmxyOENX2gz94NsmuNdmth07aaCOzY9Qg2Tgw_Sanakdq4wl16uCK9O7Irz3PzJqLii1nkneuRbLhFGHxfS_hXbSDCAnNPuKa29r5iQfCZCSwtIjaaqUpx1jtoP6OMQoP9Vy/s400/Communities.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h2 style="clear: both; text-align: left;">
Volume II</h2>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Volume II of this Guide provides details for the planners on issues ranging from Understanding and Characterizing the Social Community (Chapter 10) to Dependencies and Cascading Effects to detailed information for various Critical Infrastructure and Key Resources (CIKR) including:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul style="text-align: left;">
<li>Chapter 12 - Buildings</li>
<li>Chapter 13 - Transportation Systems</li>
<li>Chapter 14 - Energy Systems</li>
<li>Chapter 15 - Communications Systems</li>
<li>Chapter 16 - Water and Wastewater Systems</li>
</ul>
<div>
Each CIKR sector reviewed includes parallel analysis to include:</div>
<div>
<ul style="text-align: left;">
<li>Introduction to the Sector</li>
<li>Infrastructure, Functions</li>
<li>Performance Goals for the Sector</li>
<li>Regulatory Environment</li>
<li>Standards and Codes for New Construction and Existing Construction</li>
<li>Strategies for Implementing Plans for Community Resilience</li>
<li>References for the Sector</li>
</ul>
</div>
<div>
Finally, Chapter 17 includes a discussion on "Community Resilience Metrics" to include such metrics as:</div>
<div>
<ul style="text-align: left;">
<li>Time to Recover Function</li>
<li>Economic Vitality</li>
<li>Social Well-Being</li>
<li>Environmental Resilience</li>
<li>Hybrid Metrics</li>
</ul>
</div>
<br />
<h2 style="clear: both; text-align: left;">
Economic Guide</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqo5cvQj6qXkXnebTP22Xg8oLv3uDpDcbjtGFqyG9zfP1ZAjgcZ-TNqkvFAAJxgOjFIOMqw4AFFYSF34rBwapjEz6pu8gjCpa83PvYoM8oWW9m0rj5pbCC3SHWfcP62RVRt5s9Zn5A-bBL/s1600/NIST+Economics+Guide.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqo5cvQj6qXkXnebTP22Xg8oLv3uDpDcbjtGFqyG9zfP1ZAjgcZ-TNqkvFAAJxgOjFIOMqw4AFFYSF34rBwapjEz6pu8gjCpa83PvYoM8oWW9m0rj5pbCC3SHWfcP62RVRt5s9Zn5A-bBL/s640/NIST+Economics+Guide.jpg" width="515" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
The third <a href="http://www.nist.gov/manuscript-publication-search.cfm?pub_id=919223">Guide </a>just issued in this series is focused on Economics and "Economic Decision Making." Per the NIST announcement the Economic Guide "... <i>provides a standard economic methodology for evaluating investment decisions aimed to improve the ability of communities to adapt to, withstand, and quickly recover from disasters</i>." The report is intended to frame the economic decision process by identifying and comparing the relevant present and future streams of costs and benefits with benefits realized through costs savings and damage loss avoidance.</div>
<div>
<span style="background-color: white; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; line-height: 19.2px;"><br /></span></div>
<div>
As observed in the report benefits are primarily determined as the improvement in performance during a hazard event over the status quo, i.e., those obtained directly or indirectly by implementation of the new resilience strategy.</div>
<div>
<br /></div>
<div>
And for cost analysis, costs include all costs, including negative effects of implementing a resilience action. That specifically includes the initial costs, operation and maintenance costs, end-of-life costs, and replacement costs. In addition, any non-economic costs (e.g., deaths and injuries) and negative externalities need to be taken into account.</div>
<h2 style="text-align: left;">
Who Are Served by These Reports?</h2>
<div>
These reports appear to be excellent resources for city, county, regional and national planners -- especially those examining disaster recovery and Continuity of Operations (COOP) policies, procedures and budgets. Also, students of infrastructure management should find these reports to be very useful -- not only for their content but also for the references cited in the document and for each analyzed critical infrastructure in Volume II.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
###</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-50845024516445824372016-01-03T19:49:00.003-08:002016-01-03T19:49:50.280-08:00Setting Your Goals for 2016<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: center;">
<b><span style="color: blue;">HAPPY NEW YEAR!</span></b></h2>
<br />
2016 is upon us and it is a time of revelry, celebration, departing the old year and preparing for the new one. Of course, it is a time for new Goals for your profession, career, and personal aspects of your life. However, how can you "build" a decent set of Goals that not only "work" but can be used to help you monitor your progress?<br />
<br />
And yes, this approach to Goal Setting can be applied to critical infrastructure projects, advancing your career, etc.<br />
<br />
For the past few weeks I did some serious study on the Internet/YouTube and other resources on Goal identification and development. My favorite resources included <a href="https://www.tonyrobbins.com/">Mr. Anthony Robbins</a>, <a href="http://projectlifemastery.com/">Stefan Pylarinos,</a> <a href="http://michaelhyatt.com/">Michael Hyatt</a>, the book <i style="font-weight: bold;"><a href="http://www.amazon.com/gp/product/1558747524?keywords=Power%20of%20Focus&qid=1451876614&ref_=sr_1_2&sr=8-2">The Power of Focus</a></i> by Jack Canfield et al,, and some personal notes I've accumulated over the years developing Goals for my career, employer and personal life.<br />
<br />
With the ideas harvested from above, some key concepts surfaced as I began this year's effort to develop my own professional/career Goals as well as some personal ones. Here are points to consider:<br />
<br />
<br />
<ol style="text-align: left;">
<li>Start with a "Brainstorm" and list all of your goals you have for the next one, five, 10, 20 years. Just write them down and perhaps categorize them into such areas or categories as Professional, Physical, Personal, Financial, Family, Spiritual, etc.<br /></li>
<li>Select 5 to 10 of the most important Goals identified -- especially those you want to accomplish this year. (Trying to do more than 10 may just overwhelm you)<br /></li>
<li>Using these Goals you've developed, answer the following for each one -- you'll see this approach in the form shown below:<br /></li>
<ul>
<li>What is the AREA of Focus? Or, what is the "Headline" for the Goal?<br /></li>
<li>What is the DEADLINE? Be sure to put a specific date, not just "This Year."</li>
</ul>
</ol>
<ul style="text-align: left;"><ul>
<li>Write down what the Goal is -- Use the <b><i><a href="http://www.hr.virginia.edu/uploads/documents/media/Writing_SMART_Goals.pdf">SMART</a> </i></b>approach whereby the Goal should be: <b>Specific, Measurable, Achievable, Realistic </b>and<b> Time-Bound -- </b>Maybe consider writing down what you will "see" when the Goal is achieved (e.g., a bound/prepared report, or a waistline of 32 inches, or starting a new job, etc.)<br /></li>
<li><b><span style="background-color: yellow;">AND THIS IS THE MOST IMPORTANT PART -- WRITE DOWN <u style="font-style: italic;">WHY</u> YOU WANT TO ACHIEVE THIS GOAL. TAKE THE TIME TO EXPLAIN WHY THIS IS IMPORTANT TO YOU, WHAT YOUR PASSION IS ABOUT THIS GOAL, AND WHY YOU NEED TO COMPLETE THIS EFFORT.</span> </b>Take your time to really ensure you can articulate WHY this is important. It will pay off later on.<br /></li>
<li>Fill in the necessary actions required to start, pursue and finish the Goals. Consider set-up actions such as doing research, preparing files, etc. Then, add a fairly detailed list of actions to take -- preferably in order -- to achieve the Goal.</li>
</ul>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEBKcztYh5LC-UT9fACDD-3uXZjKdXMaYgQpe9d6ouIyp61elUSI7cY2I0JE29admxAGwx-P2H0Ai2W39n975keu4_AUPzLcmblqfmyZR424EvC0taXztmnfQ-mfO1Y-wjgPRrW4YBq4hyphenhyphen/s1600/2016+Goal+Form.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEBKcztYh5LC-UT9fACDD-3uXZjKdXMaYgQpe9d6ouIyp61elUSI7cY2I0JE29admxAGwx-P2H0Ai2W39n975keu4_AUPzLcmblqfmyZR424EvC0taXztmnfQ-mfO1Y-wjgPRrW4YBq4hyphenhyphen/s640/2016+Goal+Form.jpg" width="460" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
But, this is just the beginning...</div>
<div>
<br /></div>
<div>
Take time to review your Goals, at least Monthly. Ascertain your progress, problems, barriers, and successes. Take the time to savor your wins and look at ways to achieve the "stretch" Goals. </div>
<div>
<br /></div>
<div>
If anyone would like a .docx file of the above Goals form, please let me know via the comments to this post.</div>
<div>
<br /></div>
<div>
Lastly, I've used the above process and form to set up my Goals for 2016! My goals are in the areas of physical health, personal habits, writing, photography, and trying to clean out my office and garage! I'm excited about the new year and I hope you find this approach and the format above useful!</div>
<div>
<br /></div>
<div style="text-align: center;">
<b>###</b></div>
<br /><br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-53713826804908463722015-12-23T15:55:00.000-08:002015-12-23T16:01:06.174-08:00The New, Improved Maslow's Hierarcy of Needs<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: center;">
<b>##########</b> <b>NEWS FLASH!! ##########</b></div>
<div style="text-align: center;">
<b><br /></b></div>
<div style="text-align: center;">
<b>In his seminal work <i><a href="http://psychclassics.yorku.ca/Maslow/motivation.htm">A Theory of Human Motivation</a>, </i>Abraham Maslow introduced the world to his model depicting the hierarchy of needs required by humans. However, after substantial analysis, re-analysis, and re-re-analysis a new foundational layer has been added to his model that is even more fundamental than a human's basic need for physiological elements such as air, water, etc. </b></div>
<div style="text-align: center;">
<b><br /></b></div>
<div style="text-align: center;">
<b>A new model has been developed and shown with the new foundational level below:</b></div>
<div style="text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWSM6si_SSyzDBtpCzWp0XEWos7ElGrZ_mY-msC2iDQcV2pA3TSrURFuPyvVOWHnJjANlExswUkENaAdfnZbb52f5hWZStEAJHWlN1ChJh3dqraNolPCu7nqp2jPZ1C1UqyLdU0LZ777SN/s1600/Maslows+NEW+Hierarchy+of+Needs.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWSM6si_SSyzDBtpCzWp0XEWos7ElGrZ_mY-msC2iDQcV2pA3TSrURFuPyvVOWHnJjANlExswUkENaAdfnZbb52f5hWZStEAJHWlN1ChJh3dqraNolPCu7nqp2jPZ1C1UqyLdU0LZ777SN/s400/Maslows+NEW+Hierarchy+of+Needs.jpg" width="400" /></a></div>
<div style="text-align: center;">
<b>So, the next time you are surrounded by groups of humans you will almost always see them searching for the fundamental requirement of life....Wi Fi!</b></div>
<div style="text-align: center;">
<b><br /></b></div>
<div style="text-align: center;">
<b><br /></b></div>
<div style="text-align: center;">
<b style="background-color: lime;">Merry Christmas and Happy New Year!</b></div>
</div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-22464487790127501732015-10-30T09:17:00.001-07:002015-10-30T09:24:45.385-07:00Taking Infrastructure Seriously<div dir="ltr" style="text-align: left;" trbidi="on">
Remember the <a href="http://www.infrastructurereportcard.org/executive-summary/">2013 infrastructure grade report </a>from the <a href="http://www.asce.org/">American Society of Civil Engineers (ASCE)</a>? A snapshot of the 2013 grades for the US were quite damning and are posted in the picture below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe23mGyGMAkDXoRNly9nLdd9L2XtTFhlsGDM7jmDTirO7-FSCqtGwhz-dLFhTw_nLuTq854_8MV4iyTgpPj4_-_TtFLiKQGGkuV1oP_LOT8ydDHq30YpymFNfBLnFqhuQjrX1BQ88HLnC_/s1600/2013+Grades.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe23mGyGMAkDXoRNly9nLdd9L2XtTFhlsGDM7jmDTirO7-FSCqtGwhz-dLFhTw_nLuTq854_8MV4iyTgpPj4_-_TtFLiKQGGkuV1oP_LOT8ydDHq30YpymFNfBLnFqhuQjrX1BQ88HLnC_/s640/2013+Grades.jpg" width="451" /></a></div>
<br />
My immediate response is WOW followed by an emoticon of sadness :-(<br />
<br />
These grades are two years old and I suspect they have not improved and perhaps have gotten even worse.<br />
<br />
Maybe with a new Speaker of the House perhaps some new attention on this national crisis will happen (?) -- I certainly hope so.<br />
<br />
In the <b><i><a href="https://agenda.weforum.org/2015/10/gordon-brown-take-infrastructure-seriously/">World Economic Forum AGENDA</a>,</i> </b>there is an article by the Honorable Gordon Brown (former Prime Minister of the United Kingdom) with the headline <i style="font-weight: bold;">GORDON BROWN: IT'S TIME TO TAKE INFRASTRUCTURE SERIOUSLY</i>.<br />
<br />
Mr. Brown's article offers a very critical and less than optimistic view of the world's current infrastructure crisis that prompted me to write this blog. He offers some of the following facts:<br />
<br />
<ul style="text-align: left;">
<li>There is a $20 Trillion backlog in infrastructure maintenance/upgrade requirements running to 2030</li>
<li>18% of the world's citizens are left without electricity</li>
<li>11% of the world's citizens are left without clean water</li>
<li>20% are deprived of basic healthcare</li>
<li>58M children denied primary schooling</li>
</ul>
<div>
Gordon continues to observe that without action on improving this blight in infrastructure eradicating extreme poverty cannot not be achieved.</div>
<div>
<br /></div>
<div>
<b>Ideas Needed</b></div>
<div>
<b><br /></b></div>
<div>
Yes, infrastructure capital projects -- new and upgrades -- are expensive and may be risky; however, interest rates are low and there is new emphasis on public-private partnerships to take necessary actions to at least improve the current situation. Unfortunately, we are so far behind in the US let alone the other parts of the economically advanced nations that paying attention to the less developed countries may be obscured by the problems we face.</div>
<div>
<br /></div>
<div>
Leadership is needed tackle this issue in conjunction with climate change....they are both intertwined and I'd like to commend Mr. Brown and the World Economic Forum for raising awareness on this daunting issue.</div>
<div>
<br /></div>
<div style="text-align: center;">
###</div>
<br />
<br />
<br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.comtag:blogger.com,1999:blog-5697056867177470631.post-77279513387212899232015-10-06T09:30:00.001-07:002015-10-06T09:30:14.976-07:00FEMA Damage Assessment Operating Manual - Comments Requested<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4LgCvw6IyHLYEU0ih5P5aZzjqAYcz5Pidgm28ncMpfKRpAkkA53FQv5adJto-eP1v966skAmk3XureYdEsSCzzEGq8wajtiRIvzqM-DBpcGy4zxiyD2qIwnZ_96Gr9Rs_JEYKcm9qhHuy/s1600/FEMA+Manual.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4LgCvw6IyHLYEU0ih5P5aZzjqAYcz5Pidgm28ncMpfKRpAkkA53FQv5adJto-eP1v966skAmk3XureYdEsSCzzEGq8wajtiRIvzqM-DBpcGy4zxiyD2qIwnZ_96Gr9Rs_JEYKcm9qhHuy/s400/FEMA+Manual.jpg" width="310" /></a></div>
<div style="text-align: left;">
<span style="font-family: inherit;">The FEMA Damage Assessment Operations Manual is part of a greater effort to provide a user-friendly, streamlined post-disaster damage assessment process that builds on the existing knowledge and expertise of State or Tribe and local partners to identify damage after a natural or man-made disaster. Eligible Tribes and U.S. territories are considered the same as States for application of FEMA programs; the Manual is aimed at clarifying FEMA damage assessment guidance, promoting standardized information collection, and assisting in the development of requests for federal disaster assistance. </span></div>
<br />The U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA) is seeking comments from state, local, tribal, and territorial emergency management practitioners on the draft FEMA Damage Assessment Operating Manual. The manual establishes national damage assessment standards developed from historic lessons learned and best-practices already in use by state, local, tribal and federal emergency management agencies. The manual is built using a framework that encourages local information collection, state or tribal verification, and federal validation. Previous versions of such manuals have focused exclusively on the federal role. This document better highlights and provides guidance to state, local, and tribal governments on their role in the assessment. The draft manual is posted <a href="http://strongmail1.multiview.com/track?type=click&eas=1&mailingid=2148030&messageid=2148030&databaseid=Mailing.DS148030.2148030.131244&serial=17449120&emailid=barbara.johnson3@fema.dhs.gov&userid=39051324&targetid=&fl=&extra=MultivariateId=&&&2117&&&http://www.fema.gov/media-library/assets/documents/109040">here</a>. Comments should be added to the comment matrix, and submitted by Nov. 14, 2015.<br /><br />The document appears to provide a very thorough user guide for handling disaster assessments. The book is 160 pages long and includes the following (from the Table of Contents):<br /><br />
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li>Introduction</li>
<li>Concept of Operations</li>
<li>Roles and Responsibilities</li>
<li>Evaluating Damage and Impact for FEMA Public Assistance</li>
<li>Evaluating Damage and Impact for FEMA Individual Assistance</li>
<li>Damage Assessment Methods</li>
<li>Integration of Geospatial Analysis and Technology</li>
<li>Integration of Mobile Technology</li>
<li>Appendices A, C, D = Checklists</li>
<li>Appendices E, F = Matrices</li>
<li>Appendix H = Process Charts</li>
</ul>
Overall the document is a useful starting place; however, it does appear to have some gaps in chapter content, formatting, etc. But, then again, the document is out for review and comment.<br /><br />This could be a useful tool for the student of Disaster Assessment and Recovery due to the checklists and discussions about the more contemporary use of GIS and cellphones for data gathering.<br /><br />You are encouraged to take time and at least page through this document and offer your thoughts, ideas and feedback. Perhaps someday you will be using this manual for your own disaster assessments.<div>
<br /></div>
<div style="text-align: center;">
###</div>
<br />
<br /></div>
Infrastructure Security Bloghttp://www.blogger.com/profile/03758998242854279163noreply@blogger.com