DHS Designates Election Infrastructure as a Critical Infrastructure Subsector

On Friday, January 6, 2017, Secretary of the US Department of Homeland Security announced that DHS has designated the US Election System as "CRITICAL INFRASTRUCTURE."

In the press release, Johnson noted that "Given the vital role elections play in our country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure."

According to the press release, "Election Infrastructure" is defined as:

• Storage facilities
• Polling places
• Centralized vote tabulation locations
• Information and communications technology to include:
• Voter registration databases
• Voting machines
• Other systems to manage the election process and report and display results on behalf of state and local governments

Johnson reiterated that this designation does not mean a federal takeover, regulation or oversight or intrusion concerning elections in the US.  The designation does not change the roles state and local governments have in administering and running elections.

However, the designation as Critical Infrastructure does mean that election infrastructure does become a priority within the National Infrastructure Protection Plan (NIPP).

###

US Elections System as Critical Infrastructure?

What is "Critical Infrastructure?"

According to the US Department of Homeland Security "Critical Infrastructure" includes those assets, systems, and networks whether physical or virtual, that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Presidential Policy Directive-21 (PPD-21), "Critical Infrastructure Security and Resilience," identifies 16 critical infrastructure sectors.  These sectors include:

• Chemical Sector
• Commercial Facilities Sector
• Communications Sector
• Critical Manufacturing Sector
• Dams Sector
• Defense Industrial Base
• Emergency Services Sector
• Energy Sector
• Financial Services Sector
• Food and Agriculture Sector
• Government Facilities Sector
• Healthcare and Public Health Sector
• Information Technology Sector
• Nuclear Reactors, Materials, and Waste Sector
• Transportation Sector, and 
• Water and Wastewater Sector

What About the US Elections System/Sector?

In the news these past six weeks there has been an elevated discussion regarding the US election system and whether or not it should be identified as "Critical Infrastructure" and thus protected in the same way and means as the other 16 identified infrastructures.  This is aggravated by Mr. Trump questioning the integrity of the US election system and elevated concerns raised by the media that our country's enemies may take action to negatively impact the results of the voting on Tuesday, November 8th.

In early August, Secretary of the Department of Homeland Security, Jeh Johnson, observed:

"There's a vital national interest in our election process, so I do think we need to consider whether it should be considered by my department and others as critical infrastructure."  However ... 

 "There's no one federal election system. There are some 9,000 jurisdictions involved in the election process," Johnson said. (Link)

So, Johnson's perception is that there is no single "Election Infrastructure Sector" per se and it may be challenging to quickly and effectively identify it as "Critical Infrastructure."

I even heard of this issue at a recent conference held by the North American Electric Reliability Corporation (NERC) where a "new" critical infrastructure sector could be the US election system.

With some investigation by this writer, an article published on September 13, 2016, in Fedscoop, was located noting DHS Assistant Secretary for Cybersecurity, Andy Ozment, said that DHS will not classify election systems as critical infrastructure before the November 2016 presidential election.

Ozment's quote continued:

"This is not something we're looking to in the near future.  This is a conversation we're having in the long term with state and local government, who are responsible for voting infrastructure.  We're focused right now on what we can usefully offer that local and state government will find valuable.

"From our perspective, it gives us more ability to help.  It does not put DHS in charge."

It will be fascinating to see how this conversation progresses -- especially if Mr. Trump's noisy questioning of the integrity of the voting process continues through and after the presidential election.

At a minimum, perhaps the "Election System Sector" could be included under the auspices of the "Government Sector" Critical Infrastructure designation rather than adding "Number 17."

###

Review - WEF Global Competitiveness Report

This September 2016 the World Economic Forum (WEF) published its annual Global Competitiveness Report 2016-17.  This report is almost 400 pages of a fairly comprehensive analysis of each country in the world and its relative competitiveness based on 12 separate factors (shown below):

And based on these 12 factors, the factors themselves are broken down into key elements for:

• Factor-Driven Economies
• Efficiency-Driven Economies, and
• Innovation-Driven Economies

For instance Institutions and Infrastructure are key "Basic" requirements necessary for an economy to thrive and compete.

The WEF analysis then used these factors to ascertain the competitiveness of a country relative to the rest of the world as well as to its geographic region in many cases.  For instance, the top 10 most competitive countries using this methodology are:

And the bottom 10 are:

Infrastructure Factor

The elements reviewed to calculate each factor are listed in the "Technical Notes and Sources" section at the end of the report.  Since this blog is focused on infrastructure there is interest on the elements included in this calculation.  These include the following:

• Quality of overall infrastructure
• Quality of roads
• Quality of railroad infrastructure
• Quality of port infrastructure
• Quality of air transport infrastructure
• Available airline seat kilometers
• Quality of electricity supply
• Mobile-cellular telephone subscriptions
• Fixed telephone lines

At first glance, this list is missing such elements as fresh/potable water supply, food availability and distribution, etc.  However, the "Technological Readiness" factors include the following that could be considered part of the strength of a country's infrastructure:

• Availability of latest technologies
• Firm-level technology absorption
• Foreign Direct Investment and technology transfer
• Internet users
• Fixed broadband Internet users
• Internet bandwidth
• Mobile broadband subscriptions

Conclusion

As usual, the quality and content of this report are very good.  It is compelling and interesting and a useful reference for country policy development.

###

IMPACT OF POPULATION SHIFTS ON CRITICAL INFRASTRUCTURE -- Summary of OCIA Report

In early July the U.S. Department of Homeland Security (DHS)/Office of Cyber and Infrastructure Analysis (OCIA) published an analysis entitled Impact of Population Shifts on Critical Infrastructure.  The report is a very compelling and interesting read and gives you a sense of how hard it is to augment infrastructure when the population is increasing (such as in the areas where fracking is in progress) and, how difficult it is to maintain current infrastructure when your tax base -- i.e., population -- is leaving as in the Rust Belt of the US.

To give the reader a sense of those areas in the continental US where population increase and decline may contribute to stresses on installation and maintenance of critical infrastructure is shown in a map shown below:

The map does reflect population shifts from the Northeast and Midwest to the South and West -- especially Texas, Georgia and Arizona/Nevada. According to the report, the new growth is in part because of high-technology magnet areas in the West and South, energy development of shale gas and shale oil in rural areas throughout the country, and regrowth in cities in the South and West with housing-led reversals. This growth is also partially because of lower costs of living, potentially including lower tax rates.

Rapidly increasing populations result in:

• Increased demand for services
• Increased infrastructure use
• Increased rural roadway use requiring expensive reconstruction and repair
• Reduced available downtime for infrastructure maintenance and repairs
• Challenges in funding immediately needed infrastructure upgrades since available money may be delayed due to tax and revenue stream deferrals to later years.
• Increased frequency and severity of disruptions to water and wastewater systems

Reduced populations result in:

• Reduced tax base resulting in funding shortfalls for infrastructure maintenance and repairs
• Uneven population densities within metro areas

Conclusions

The report does offer some approaches to address bot increasing and declining populations and the impacts on critical infrastructure.  The key recommendations for both cases are:

1. Strategic Planning -- For rapidly increasing population growth, strategic planning is critical for meeting increases in demand -- especially because of the lead-time needed for financing; designing and planning projects; obtaining regulatory approvals; siting and constructing the infrastructure.
   
2. Public-Private Partnerships -- These partnerships and their collective approach can be useful for infrastructure planning/development/maintenance during times of population growth or decline.  Don't forget, most of the critical infrastructure in the US is privately owned.  And because these private entities rely on state/local government approval to deploy large infrastructure projects their partnership and cooperation is critical.

###

A View of the World's Infrastructure -- PBS Video "Humanity from Space"

I have been a student of global infrastructure for many years and even completed my Masters in Infrastructure Planning and Management from the University of Washington, Seattle, USA this past year.  This week I happened to view an absolutely fascinating video on the US Public Broadcasting System (PBS) called Humanity from Space.

http://www.pbs.org/program/humanity-from-space/ 

This video offers a terrific view of global infrastructure expansion and development from the early days of mankind up to the future views of expanded renewable energy, communications networks, highways, transportation, etc.

From the PBS page, here is a broader description of the video:

You can view the entire video at:  http://www.pbs.org/video/2365530573/

You may also be able to locate it on other alternative options such as Roku, Netflix, Amazon Prime.

Anyway, take time to view this phenomenal film....the graphics are thought provoking and the music is from one of my favorite composers, Thomas Bergersen/Two Steps from Hell.

Cheers!

###

ONE OF FEW IN THE WORLD – MASTERS IN INFRASTRUCTURE PLANNING AND MANAGEMENT

As I began writing this blog post the World Economic Forum (WEF) annual meeting in Davos, Switzerland is in progress.  In conjunction with this major meeting the WEF also produces its Global Risks Report.  One section of the report – shown below – is entitled “Global Risks of Highest Concern for Doing Business.”

Figure 1 http://reports.weforum.org/global-risks-2016/eos/

As you look at this list, the eighth most important risk of concern is “Failure of Critical Infrastructure.” 

Wow, that is very disconcerting and it is important that critical infrastructure issues be addressed to help mitigate and alleviate these risks.  But even as you think about it, global infrastructure is strained even with issues #1 through #7 (and #9, of course).

But how?

Masters of Infrastructure Planning and Management

In August 2015 I successfully completed the Master’s Degree in Infrastructure Planning and Management at the University of Washington, Seattle, Washington USA.  This program – entirely online, so you can take classes literally around the globe in various time zones – provided fantastic exposure to me as an infrastructure security professional on ways to manage and protect vital infrastructure systems from natural and man made threats.  The program curriculum is included below.

Figure 2 http://www.infrastructure-management.uw.edu/overview/courses/

And as you can observe, the courses train the students on such fundamental topics as risk management, geographic information systems (GIS), and strategic planning.  The core courses include “soup to nuts” reviews of different infrastructure sectors such as energy, water, food, transportation, emergency management and public health.

At the end of the two-year program I believe you can be an adept contributor to critical infrastructure planning and management at the local, regional, national or international level.

By the way, the instructors are also accomplished, practical professionals in their areas.  For instance the infrastructure finance professor studied under Nobel Laureates at the University of California.  The instructors teaching the energy courses work for the regional utility in Seattle, and the public health professor is a physician with almost 40 year’s experience in international public health management.

Overall, the instructors “…really know their stuff…” from a practical, hand-on perspective and after a quarter with each one of them you have not only learned the details of the sector but you also know where to look for more information – a key value to me as a critical infrastructure protection professional.

Graduates and their Stories

Some of my fellow classmates have done very well with their MIPM credentials.  One grad continued in the Business Continuity/Planning space for a major health insurance provider and is now the Global Emergency Preparedness manager for a major, US West Coast university.  Another classmate continues as a Lieutenant Colonel in the Army with expanded awareness of global infrastructure issues.  A third classmate is in a local city public utility doing planning work.

How Can I Get More Information?  Where Do I Sign Up?

If you want more details I’d first suggest you visit the University of Washington Master in Infrastructure Planning and Management web page.

Be sure to review the Admissions requirements and the Costs/Financial Aid page.  Overall, you’ll see that the entrance requirements are certainly those of a Top Tier University but within reason for the working professional.  Some of my classmates had their tuition covered by the GI Bill and my company reimbursed me for my courses.

Of note, each cohort starts at the end of September each year and the Application Deadline is June 1^st.

Unique Training – Unique Opportunity

As the faculty and students can attest, this is one of the very few programs in the world offering Masters-level training on infrastructure planning and management.  And, it is ONLINE so you don’t need to attend classes and – as a working professional – I can tell you that class assignments can be completed even if you are on the road multiple time zones away from Seattle.

So, here are the key Links…..and remember, the Application Deadline is June 1^st.

·         PROGRAM OVERVIEW: http://www.infrastructure-management.uw.edu/

·         CURRICULUM:                  http://www.infrastructure-management.uw.edu/overview/courses/

·         FACULTY:                            http://www.infrastructure-management.uw.edu/overview/faculty/

·         ADMISSIONS:                    http://www.infrastructure-management.uw.edu/admissions/

·         FINANCES:                          http://www.infrastructure-management.uw.edu/costs/

·         ONLINE LEARNING:         http://www.infrastructure-management.uw.edu/overview/onlinelearning/

###

CRS Report - Vulnerability of Concentrated Critical Infrastructure

I was recently writing an article for the Hazar Strateji Enstitüsü / Caspian Strategy Institute (HASEN) on the subject of physical security of critical electric infrastructure.  During my research I came across a very interesting -- and I believe timely -- Congressional Research Service (CRS) Report entitled Vulnerability of Concentrated Critical Infrastructure: Background and Policy Options.  The report was prepared by Paul W. Parfomak and updated on September 12, 2008. 

(Hat tip to the Federation of American Scientists for posting this document in their publically available CRS library!)

I found this report to be an exceptional analysis of the vulnerabilities posed to the US with critical infrastructure concentrated in geographic areas.  Such concentration increases the vulnerability to events like natural disasters, epidemics, certain kinds of terrorist attacks, etc.

The report defines "Geographic Concentration" of critical infrastructure as:

"...the physical location of critical assets in sufficient proximity to each other that they are vulnerable to disruption by the same, or successive, regional events."

To give the reader a sense of the degree of geographic concentration (in 2008) here is an interesting list:

• Energy (Refining) -- Approximately 43% of total US oil refining capacity is clustered along the Texas and Louisiana coasts

• Banking and Finance (Securities Market) -- Almost 39% of US securities and options are traded on the floors of the NY and American Stock Exchanges in lower Manhattan
  
• Chemicals (Chlorine) -- Over 38% of US chlorine production is located in coastal Louisiana

• Transportation (Rail) -- Over 37% of US freight railcars pass through Illinois, primarily around Chicago.  Over 27% of freight railcars pass primarily through St. Louis
  
• Transportation (Marine Cargo) -- Over 33% of US waterborne container shipments pass through the ports of Long Beach and Los Angeles in Southern California (Note: a major tsunami in Southern California could close the Ports of Long Beach/Los Angeles for two months and cost $60B in economic losses)

• Defense Industrial Base (Shipyards) -- Over 31% of US naval shipbuilding and repair capacity is in and around Norfolk, Virginia
  
• Agriculture and Food (Livestock) -- Approximately 29% of US hog inventories are in Iowa; 15% in eastern North Carolina

• Public Health and Healthcare (Pharmaceuticals) -- Approximately 25% of US pharmaceuticals are manufactured in Puerto Rico/San Juan metro area

In addition to the sobering numbers above, if you look at the combined geographical area of New York City and Northern New Jersey the US port capacity is 12% and airport capacity is 8%.

MARKET INFLUENCES ON GEOGRAPHIC CONCENTRATION

To the casual observer, geographic concentration of US critical infrastructure is nothing new.  For example, Chicago and Atlanta evolved from railroad hubs; Louisiana and the Coast of Texas are major players in oil and natural gas because that is where the natural resources are, etc.  However, there are some added influences cited by the CRS report.  They include:

• Resource Location
  
• Agglomeration Economies (i.e., spatial concentration itself creates favorable economic environment that supports further or continued concentration
  
• Scale Economies (e.g., refineries, ports, etc. are growing larger and larger due to the driver of "economy of scale")
  
• Community Preferences (this is more like the concentration of infrastructure in places where the local citizens are not opposed to such facilities)
  
• Capital Efficiency (critical infrastructure is located where capital can be efficiently deployed)
  

FEDERAL POLICIES AND INFRASTRUCTURE CONCENTRATION

Finally, for those who are planners or students of infrastructure planning and management here are some selected Federal policies to discourage geographic concentration:

• Prescriptive Siting (e.g., In the early 1940s, the US Government financed a major steel plant in Utah as a precaution against shortages in the Western US in case of a Pacific Coast invasion by the Japanese or closure of the Panama Canal)
  
• Economic Incentives
  
• Environmental Regulation (e.g., Coastal Zone Management Act, Clean Air Act, etc.)
  
• Economic Regulation

Finally the report highlights policy options to reduce infrastructure vulnerability that can include:

• Eliminating Policies Encouraging Concentration
  
• Encouraging Geographic Dispersion
  
• Ensuring Infrastructure Survivability
  
• Ensuring Infrastructure Recovery Capabilities

CONCLUSIONS

Overall this is an excellent and thought-provoking report on the strengths and vulnerabilities posed by the concentration of infrastructure in the US economy.  This document is a useful discussion for students focused on urban planning, critical infrastructure planning and management, and those interested in reducing infrastructure vulnerabilities.

###

Status of US Infrastructure - Infographic

Hat tip to Ms. Chrissy Gomez for passing along a link to a very interesting and in-depth Infographic discussing US infrastructure challenges and the impacts of the Infrastructure Bill.

The title of the article is The Infrastructure Bill: What it Means for Business and an excerpt of the Infographic is attached below. 

The Infographic does a nice job starting with a summary of the dismal and declining state of US infrastructure and then offers some scenarios of the impacts expected from the December 2015 Congressional Funding of $305B at $61B/year for the next 5 years.

Take a moment to look over the Infographic at the MBA Central website -- this is great information for those worried about US infrastructure and Infrastructure Planning and Management professionals.

http://www.mbacentral.org/infrastructure-business/

CRS Insight - Electric Grid Physical Security: Recent Legislation (US)

(Another Hat Tip to our friends at the Federation of American Scientists for posting this CRS document!)

Last week a two-page summary of recent US government legislation focused on electric grid physical security was prepared by Paul W. Parfomak of the Congressional Research Service (CRS).

http://fas.us8.list-manage.com/track/click?u=33c6e6fc9f63792ebcbb7ef9d&id=9c0cfe0fff&e=d0dc8ca93c

The document is a quick read. Besides summarizing the Federal Energy Regulatory Commission (FERC)) / North American Electric Reliability corporation (NERC) efforts on the CIP-014, Physical Security Reliability Standard, the document summarizes some interesting electric grid physical security elements in the Fixing America's Surface Transportation (FAST) Act - P.L. 114-94 and the Energy Policy Modernization Act of 2015 - S. 2012.

Fixing America's Surface Transportation (FAST) Act - P.L. 114-94

• Became law on December 4, 2015
  
• Contains provisions in two sections to facilitate recovery during electric grid emergencies due to physical damage and other causes.
  
• Critical Electric Infrastructure Security (§1104) -- This section provides the Secretary of Energy additional authority to order emergency measures to protect or restore the reliability of critical electric infrastructure or defense critical electric infrastructure during a grid security emergency.  The identification of such a grid emergency would be made by written notice from the President with a concurrent notification from Congress.  This section also allows a) grid owners to recover prudent costs incurred under such emergency measures through rates regulated by FERC, and b) increases protection of critical electrical infrastructure information.
  
• Strategic Transformer Reserve (§1105) -- This section requires the Secretary of Energy -- in consultation with other agencies, the military, and the utility industry -- to submit to Congress within one year a plan for a Strategic Transformer Reserve.

Energy Policy Modernization Act of 2015 - S. 2012

• Includes two sections primarily directed at electric grid cybersecurity but with potential impacts on physical asset protection or recovery.
  
• Cybersecurity Threats (§2001) -- Would provide the Secretary of Energy additional authority to order emergency measures to avert or mitigate a cybersecurity threat upon receiving notice from the President that such a threat exists.  This section is also intended to increase protection of critical electrical infrastructure information.
  
• Cybersecurity Threats (§2002) -- This section would designate the Department of Energy (DOE) as the lead Sector-Specific Agency under Presidential Policy Directive 21 for energy sector cybersecurity.  This bill would require a) DOE to develop a program for modeling and assessing energy infrastructure risks in the face of natural and human-made (physical and cyber) threats, b) DOE to explore alternative structures and funding mechanisms to expand industry participation in the Electricity Information Sharing and Analysis Center (E-ISAC).

Thanks again to Mr. Parfomak for this CRS Insight.

###

Planning for Community Infrastructure Resilience - NIST Guidance

In 2015 the US National Institute of Standards and Technology (NIST)  began a process to produce guidance on approaches to aid communities in improving their resilience to prevailing natural and man made disasters that could affect their jurisdiction.  NIST began to produce various guides to offer some processes for community planners to follow including understanding and assessing their current risks as well as develop plans to implement to improve their resilience.  Using the "Guides" the community planners can better integrate their resilience efforts into their economic development, zoning, and other local planning activities impacting buildings, public utilities, and other infrastructure systems.

Currently there are three NIST Guide documents to be summarized below in this Blog:

• Community Resilience Planning Guide for Buildings and Infrastructure Systems Volume 1. (11MB Download, 125 pages, Released October 2015)
• Community Resilience Planning Guide for Buildings and Infrastructure Systems Volume II  (14 MB Download, 273 pages, Released October 2015)
• Community Resilience Economic Decision Guide for Buildings and Infrastructure Systems (1 MB Download, 69 pages, Released December 2015)

Volume 1

The first document produced by NIST is Community Resilience Planning Guide for Buildings and Infrastructure Systems Volume 1.   (11MB Download, 125 pages).  Volume I describes the methodology and has an example illustrating the planning process for the fictional town of Riverbend, USA.

As part of this methodology, Volume 1 includes a "Six-Step" Process to Planning for Community Resilience." (Shown Below).  Although the graphic is offering an elementary project planning structure, the contents and discussion of Volume 1 on how to approach the challenges of assessing and improving the resilience of the community is useful.

Volume 1 continues to provide the basis for this approach and also ensures that the reader does not fall into the trap of looking exclusively at "THINGS" such as bridges, roads, public works facilities, but instead helps the reader realize that the THINGS are based on and affected by the social aspects.  A particularly good graphic showing this "cause and effect" so to speak is below:

Volume II

Volume II of this Guide provides details for the planners on issues ranging from Understanding and Characterizing the Social Community (Chapter 10) to Dependencies and Cascading Effects to detailed information for various Critical Infrastructure and Key Resources (CIKR) including:

• Chapter 12 - Buildings
• Chapter 13 - Transportation Systems
• Chapter 14 - Energy Systems
• Chapter 15 - Communications Systems
• Chapter 16 - Water and Wastewater Systems

Each CIKR sector reviewed includes parallel analysis to include:

• Introduction to the Sector
• Infrastructure, Functions
• Performance Goals for the Sector
• Regulatory Environment
• Standards and Codes for New Construction and Existing Construction
• Strategies for Implementing Plans for Community Resilience
• References for the Sector

Finally, Chapter 17 includes a discussion on "Community Resilience Metrics" to include such metrics as:

• Time to Recover Function
• Economic Vitality
• Social Well-Being
• Environmental Resilience
• Hybrid Metrics

Economic Guide

The third Guide just issued in this series is focused on Economics and "Economic Decision Making."   Per the NIST announcement the Economic Guide "... provides a standard economic methodology for evaluating investment decisions aimed to improve the ability of communities to adapt to, withstand, and quickly recover from disasters."  The report is intended to frame the economic decision process by identifying and comparing the relevant present and future streams of costs and benefits with benefits realized through costs savings and damage loss avoidance.

As observed in the report benefits are primarily determined as the improvement in performance during a hazard event over the status quo, i.e., those obtained directly or indirectly by implementation of the new resilience strategy.

And for cost analysis, costs include all costs, including negative effects of implementing a resilience action. That specifically includes the initial costs, operation and maintenance costs, end-of-life costs, and replacement costs. In addition, any non-economic costs (e.g., deaths and injuries) and negative externalities need to be taken into account.

Who Are Served by These Reports?

These reports appear to be excellent resources for city, county, regional and national planners -- especially those examining disaster recovery and Continuity of Operations (COOP) policies, procedures and budgets.  Also, students of infrastructure management should find these reports to be very useful -- not only for their content but also for the references cited in the document and for each analyzed critical infrastructure in Volume II.

###

Setting Your Goals for 2016

HAPPY NEW YEAR!

2016 is upon us and it is a time of revelry, celebration, departing the old year and preparing for the new one.  Of course, it is a time for new Goals for your profession, career, and personal aspects of your life.  However, how can you "build" a decent set of Goals that not only "work" but can be used to help you monitor your progress?

And yes, this approach to Goal Setting can be applied to critical infrastructure projects, advancing your career, etc.

For the past few weeks I did some serious study on the Internet/YouTube and other resources on Goal identification and development.  My favorite resources included Mr. Anthony Robbins, Stefan Pylarinos, Michael Hyatt, the book The Power of Focus by Jack Canfield et al,, and some personal notes I've accumulated over the years developing Goals for my career, employer and personal life.

With the ideas harvested from above, some key concepts surfaced as I began this year's effort to develop my own professional/career Goals as well as some personal ones.  Here are points to consider:

1. Start with a "Brainstorm" and list all of your goals you have for the next one, five, 10, 20 years.  Just write them down and perhaps categorize them into such areas or categories as Professional, Physical, Personal, Financial, Family, Spiritual, etc.
   
2. Select 5 to 10 of the most important Goals identified -- especially those you want to accomplish this year. (Trying to do more than 10 may just overwhelm you)
   
3. Using these Goals you've developed, answer the following for each one -- you'll see this approach in the form shown below:
   
• What is the AREA of Focus?  Or, what is the "Headline" for the Goal?
  
• What is the DEADLINE?  Be sure to put a specific date, not just "This Year."

• Write down what the Goal is -- Use the SMART approach whereby the Goal should be: Specific, Measurable, Achievable, Realistic and Time-Bound -- Maybe consider writing down what you will "see" when the Goal is achieved (e.g., a bound/prepared report, or a waistline of 32 inches, or starting a new job, etc.)
  
• AND THIS IS THE MOST IMPORTANT PART -- WRITE DOWN WHY YOU WANT TO ACHIEVE THIS GOAL.  TAKE THE TIME TO EXPLAIN WHY THIS IS IMPORTANT TO YOU, WHAT YOUR PASSION IS ABOUT THIS GOAL, AND WHY YOU NEED TO COMPLETE THIS EFFORT.  Take your time to really ensure you can articulate WHY this is important.  It will pay off later on.
  
• Fill in the necessary actions required to start, pursue and finish the Goals.  Consider set-up actions such as doing research, preparing files, etc.  Then, add a fairly detailed list of actions to take -- preferably in order -- to achieve the Goal.

But, this is just the beginning...

Take time to review your Goals, at least Monthly.  Ascertain your progress, problems, barriers, and successes.  Take the time to savor your wins and look at ways to achieve the "stretch" Goals.  

If anyone would like a .docx file of the above Goals form, please let me know via the comments to this post.

Lastly, I've used the above process and form to set up my Goals for 2016!  My goals are in the areas of physical health, personal habits, writing, photography, and trying to clean out my office and garage!  I'm excited about the new year and I hope you find this approach and the format above useful!

###

Taking Infrastructure Seriously

Remember the 2013 infrastructure grade report from the American Society of Civil Engineers (ASCE)?  A snapshot of the 2013 grades for the US were quite damning and are posted in the picture below:

My immediate response is WOW followed by an emoticon of sadness :-(

These grades are two years old and I suspect they have not improved and perhaps have gotten even worse.

Maybe with a new Speaker of the House perhaps some new attention on this national crisis will happen (?) -- I certainly hope so.

In the World Economic Forum AGENDA, there is an article by the Honorable Gordon Brown (former Prime Minister of the United Kingdom) with the headline GORDON BROWN:  IT'S TIME TO TAKE INFRASTRUCTURE SERIOUSLY.

Mr. Brown's article offers a very critical and less than optimistic view of the world's current infrastructure crisis that prompted me to write this blog.  He offers some of the following facts:

• There is a $20 Trillion backlog in infrastructure maintenance/upgrade requirements running to 2030
• 18% of the world's citizens are left without electricity
• 11% of the world's citizens are left without clean water
• 20% are deprived of basic healthcare
• 58M children denied primary schooling

Gordon continues to observe that without action on improving this blight in infrastructure eradicating extreme poverty cannot not be achieved.

Ideas Needed

Yes, infrastructure capital projects -- new and upgrades -- are expensive and may be risky; however, interest rates are low and there is new emphasis on public-private partnerships to take necessary actions to at least improve the current situation.  Unfortunately, we are so far behind in the US let alone the other parts of the economically advanced nations that paying attention to the less developed countries may be obscured by the problems we face.

Leadership is needed tackle this issue in conjunction with climate change....they are both intertwined and I'd like to commend Mr. Brown and the World Economic Forum for raising awareness on this daunting issue.

###

FEMA Damage Assessment Operating Manual - Comments Requested

The FEMA Damage Assessment Operations Manual is part of a greater effort to provide a user-friendly, streamlined post-disaster damage assessment process that builds on the existing knowledge and expertise of State or Tribe and local partners to identify damage after a natural or man-made disaster. Eligible Tribes and U.S. territories are considered the same as States for application of FEMA programs; the Manual is aimed at clarifying FEMA damage assessment guidance, promoting standardized information collection, and assisting in the development of requests for federal disaster assistance. 

The U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA) is seeking comments from state, local, tribal, and territorial emergency management practitioners on the draft FEMA Damage Assessment Operating Manual. The manual establishes national damage assessment standards developed from historic lessons learned and best-practices already in use by state, local, tribal and federal emergency management agencies. The manual is built using a framework that encourages local information collection, state or tribal verification, and federal validation. Previous versions of such manuals have focused exclusively on the federal role. This document better highlights and provides guidance to state, local, and tribal governments on their role in the assessment. The draft manual is posted here. Comments should be added to the comment matrix, and submitted by Nov. 14, 2015.

The document appears to provide a very thorough user guide for handling disaster assessments. The book is 160 pages long and includes the following (from the Table of Contents):

• Introduction
• Concept of Operations
• Roles and Responsibilities
• Evaluating Damage and Impact for FEMA Public Assistance
• Evaluating Damage and Impact for FEMA Individual Assistance
• Damage Assessment Methods
• Integration of Geospatial Analysis and Technology
• Integration of Mobile Technology
• Appendices A, C, D = Checklists
• Appendices E, F = Matrices
• Appendix H = Process Charts

Overall the document is a useful starting place; however, it does appear to have some gaps in chapter content, formatting, etc. But, then again, the document is out for review and comment.

This could be a useful tool for the student of Disaster Assessment and Recovery due to the checklists and discussions about the more contemporary use of GIS and cellphones for data gathering.

You are encouraged to take time and at least page through this document and offer your thoughts, ideas and feedback. Perhaps someday you will be using this manual for your own disaster assessments.

###

FEMA Bits and Pieces

For those of us in the "infrastructure community" we seem to be drawn to issues involving different critical infrastructure sectors along with broader issues such as emergency preparedness, disaster response and business continuity, government financing, climate change impacts, etc.

A useful resource is FEMA's Higher Education Program Bits and Pieces newsletter published by Barbara Johnson at the FEMA National Emergency Training Center, Emmitsburg, Maryland.  

The newsletter - often produced weekly on Fridays - not only includes information on FEMA training opportunities but it also weaves in timely  "bits and pieces" of information on emergency planning, critical infrastructure protection, etc.  The report also highlights any recently issued Congressional Research Service reports that may be of interest to the emergency planning/critical infrastructure protection professional.

Instructions on how to sign up for the email subscription service are below:

Sign up via our free e-mail subscription service to receive notifications when new information is available from the Higher Education Program and FEMA.gov.

You will receive Activity Reports and other pertinent information concerning professional development. You also have the option of signing up for additional e-mail updates from FEMA and EMI. Visit the subscriber settings page to sign up for additional e-mail notices. Once there, you can also receive e-mail updates targeted to your geographic area by clicking on “subscriber preferences” and inserting your state and ZIP Code where requested.

The links above will guide you through various aspects of the Higher Education Program. If you have any questions, please contact Barbara L. Johnson at Barbara.Johnson3@fema.dhs.gov.

Please note: Some of the websites linked from the Higher Ed courses, documents, presentations are not Federal government websites and may not necessarily operate under the same laws, regulations and policies as Federal websites.

Many thanks to Barbara for this useful service!  Well done!

###

Pervasive Sensing and Risk Implications

For the past four years I have been talking one class a quarter towards a Masters in Infrastructure Planning and Management offered by the College of Built Environments at the University of Washington in Seattle.

This program is very unique, the classes are entirely online, and I've not seen one like it in my global travels.  It is a fantastic program covering a broad range of critical infrastructure issues (e.g., transportation, water systems, emergency management, etc.) and also offers supporting training in areas such as capital budgeting/finance for government.  Overall I was very impressed with the faculty and level of education.

Well, the end is in sight!  The final assignment due this week is to submit the final Capstone and also prepare a summary presentation on YouTube the  Capstone contents (in 10 minutes!).

The title of my Capstone is: Pervasive Sensing and Industrial Control System Risk Implications.

https://www.youtube.com/watch?v=yyQbUBIVWIo

The YouTube link for the 10-minute narrated PowerPoint is at:  https://www.youtube.com/watch?v=yyQbUBIVWIo

I hope you will find this presentation informative and though-provoking.

Lastly, apologies to those of you made aware of this presentation via a separate Twitter and LinkedIN announcement a few days ago.

Cheers!

###

Insurance and a US Electric Grid Blackout - A Compelling Read

On July 8, 2015, Lloyd's of London published an excellent report Business Blackout - The insurance implications of a cyber attack on the US power grid.  

(The same day as the United Airlines, Wall Street Journal and New York Stock Exchange cyber events...hmmm, any coincidence?)

This 65-page report is an excellent analysis of the insurance and economic impact on the US following a theoretical cyber attack on the US Northeastern corridor affecting Boston to Washington, DC.  The report is a compelling read for anyone in the cyber security or critical infrastructure domains -- at a minimum the analysis by Lloyd's and the Cambridge Center for Risk Studies Team (University of Cambridge Judge Business School) causes you to take pause to a) better understand the interdependency of infrastructures and b) better learn ways to consider economic impacts of such events.

Key sections of the report include:

• Executive Summary
• Introduction to the Scenario
• The Erebos Cyber Blackout Scenario
• Direct Impacts to the Economy**
• Macroeconomic Analysis**
• Cyber as an Emerging Insurance Risk**
• Insurance Industry Loss Estimation
• Annex A:  Cyber Attacks Against Industrial Control Systems since 1999
• Annex B:  The US Electricity Grid and Cyber Risk to Critical Infrastructure
• Annex C:  Constructing the Scenario - Threats and Vulnerabilities

** = Focus your reading here...

For some key "bullets" on the report and the scenario, the following were extracted from the Lloyd's web page:

1. The attackers are able to inflict physical damage on 50 electric generators which supply electrical power in the Northeastern USA, including New York City and Washington, DC.
2. While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers wider blackouts which leaves 93 million people without power.
3. The total impact to the US economy is estimated at $243B, rising to more than $1T in the most extreme version of the scenario.
4. Insurance claims arise in over 30 lines of insurance.  The total insured losses are estimated at $21.4B, rising to $71.1B in the most extreme version of the scenario.
5. A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
6. The sharing of cyber attack data is a complex issue, but could be an important element for enabling the insurance solutions required for this key emerging risk.

Hat tip to Eireann Leverett, Senior Risk Researcher and member of the ENISA ICS Security Stakeholders Group for passing along this analysis.

CONCLUSION

If you are involved with critical infrastructure -- especially the electric grid -- take time to read this report cover-to-cover.  If you are worried about the economic impacts of cyber on your business -- read this report to understand the interdependencies.

###

Control Engineering 2015 Cyber Security Study

Yesterday I posted a review of the recent SANS State of Industrial Control Systems Survey.  You can find that posting here.

Today I'd like to tell you about another interesting and equally disconcerting survey about the status of today's industrial control system security posture.

Each year Control Engineering Magazine conducts a survey of its readers to evaluate cyber security implementation, resources and training for industrial control systems.  Their 2015 Cyber Security report was issued this June.  A summary of the study posted by Control Engineering is located here.

The Control Engineering report is essentially in presentation format and has a collection of graphs and data relative to the data collected.  It is a pretty easy and quick read and offers similar data to the SANS Survey.

Statistics and Findings

The Control Engineering analysis included data collected from 284 respondents in the first quarter of 2015.  The report includes the following summary findings:

1.  Threat Levels:  47% of respondents perceive their control systems to be "moderately" threatened by cyber attacks.  25% say theirs is "highly" threatened and 8% are at the "severe" threat level.

2.  Most Concerning Threat:  Their responses included:

• 35% view the most concerning threat is malware from a random source
• 18% worried about loss of intellectual property
• 8% fear attacks from "hacktivists" with political or environmental agendas.

3.  Most Vulnerable System Components:  The components of most concern include:

• Connections to other internal systems (SANS is similar)
• Computer assets running commercial operating systems (Same as SANS)
• Network devices
• Wireless communication devices and protocols
• Connections to the field SCADA networks

4.  Vulnerability Assessments:  39% of those surveyed said their last vulnerability assessment was performed within the last six months (Good!); while 16% have never executed one (Not So Good).

5.  Publicly Reporting Incidents:  66% of those surveyed say publicly reporting cyber-related incidents would benefit the industry.  36% agree that the biggest problem with public reporting is the fear of losing consumer confidence.

6.  Resources Used to Monitor Control System Cyber Security Events:

• Anti-virus software (99%)
• Network logs (89%)
• Firewall logs (89%)
• Intrusion Detection/Prevention (84%)
• Whitelisting (76%)

Overall....

Overall this is a useful survey to examine and as I noted for the SANS ICS Security Survey, these reports should be reviewed and digested by security professionals responsible for ICS security and shared with their executive management to show them that security is a concern and should be theirs, too.

###

State of Industrial Control Systems Security - A SANS Survey

This month the SANS Institute published its annual State of Security in Control Systems Today.  The results were prepared by Messrs. Derek Harp (SANS) and Bengt Gregory-Brown (Sable Lion Ventures LLC).

You can download the report from the SANS Reading Room at:  https://www.sans.org/reading-room/whitepapers/analyst/state-security-control-systems-today-36042 

Some Thoughts...

The report is a quick and useful read.  I'd highly recommend that not only ICS Security Professionals read and digest this report but also it be shown to the skeptical executives in their organization.

So, here are some key bullets gleaned from my read:

• Top four concerns by those surveyed include:
  
• Ensuring reliability and availability (68%)
• Lowering risk/improving security (40%)
• Preventing damage (28%)
• Ensuring health and safety (27%)
  
• Rapid detection of security incidents on ICS is key because the longer the breaches remain unknown, the greater the potential impact.
  
• The integration of IT into control system networks was chosen by 19% of respondents as the single greatest threat vector.  The top three threat vectors were a) External Threat, b) Internal Threat, and c) Integration of IT into the Control System Networks.
  
• 74% of respondents believe that their external connections are not fully documented.  (Ugh!)  Simply identifying and detailing connections and attached devices in a network is a key step to securing it.
  
• Another challenge highlighted in the survey is a lack of visibility into control system equipment and network activity.  Thus this inhibits progress in securing assets and decreases activity in accuracy of self-evaluations.

Read the Margin Notes!

One editorial and formatting aspect of the report I liked was inclusion of marginal notes called TAKEAWAYs.  These notes are useful helpful ideas for the ICS security person to implement -- or at least consider -- when trying to protect their ICS systems.  A few examples of the TAKEAWAYs are:

• Know what is normal.  Lack of visibility into control system networks is one of the greatest barriers to securing these resources.  Without awareness of normal communications and activity, it's impossible to properly evaluate or improve security of assets.  Operations and security staff must be able to visualize and verify normal network operations to detect and assess possible abnormalities and respond to potential breaches.
  
• Gain visibility into control system networks.  Map all devices, physical interconnections, logical data channels and implemented ICS protocols among devices, including read coils, write registers, scans and time stamps.  Establish a fingerprint of normal control network activity and communication, including communication patterns, schedules and protocols.  Then, establish device logging, strict change management and automated log analysis based on your baseline data.
  
• Integrate security into procurement and decommissioning processes.  Establishing security of software or devices is cheaper, easier and more effective prior to deployment.  The burden of maintaining security is lighter when you start from a secure state.  And, security should be included in the decommissioning and removal of devices to avoid opening serious vulnerabilities.

Again, a great job by SANS, Derek and Bengt!  Take the time to download and read this report and take advantage of the ideas to improve the security of your ICS networks.

###