Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook
$71.99
ASIS International 2021 Book of the Year!
As a manager or engineer have you ever been assigned a task to perform a risk assessment of one of your facilities or plant systems? What if you are an insurance inspector or corporate auditor? Do you know how to prepare yourself for the inspection, decided what to look for, and how to write your report?
This is a handbook for junior and senior personnel alike on what constitutes critical infrastructure and risk and offers guides to the risk assessor on preparation, performance, and documentation of a risk assessment of a complex facility. This is a definite “must read” for consultants, plant managers, corporate risk managers, junior and senior engineers, and university students before they jump into their first technical assignment.
WHAT YOUR COLLEAGUES ARE SAYING ABOUT CRITICAL INFRASTRUCTURE RISK ASSESSMENT
“Critical Infrastructure Risk Assessment is an invaluable reference for assessors, business managers, operators, and planners. And given a rapidly evolving geopolitical situation with nations and other actors motivated to compete and fight across multiple domains, the book could not come at a better time.” – Chuck Benson, Director of IoT Risk Mitigation Strategy, University of Washington
“What I particularly like about this book is how self-contained it is in its knowledge of statutes, approaches, resources, and recommendations. You need not look elsewhere for guidance in conducting infrastructure risk assessments. This book is a practitioner’s guide that anyone involved in managing, securing, or operating critical infrastructure would find invaluable. The book’s subtitle, “Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook” is no boast as this book lives up to its title.” – Tari Schreider, C|CISO, CRISC, MCRP, Cybersecurity Program Strategist, Author & Instructor
“Ernie Hayden has been in the industry for many years and offers a lot of practical advice in this book. The book is laid out in an easy-to-consume manner; it starts with foundational information and proceeds to detail the assessment process from start to finish. This book is a great reference for the facility manager, plant manager or consultant.” – Matt B., CISSP
“Ernie Hayden has provided an extraordinary work that goes beyond its title, addressing Risk Assessment for Critical Infrastructure, with all its elements: threat identification, vulnerability identification, and impact. But more than an academic exercise, Mr. Hayden has taken years of experience as a risk assessor, and provides a handbook that will be invaluable to both the novice assessor, the executive who has been charged with an assignment to have a risk assessment completed, and the seasoned assessor.” – Matt Lampe, Partner, Fortium Partners
“This handbook was written for anyone involved in critical infrastructure risk assessment. Ernie Hayden guides you through the quagmire of complex terms and essential concepts to gain a clear understanding of critical infrastructure and risk assessment. The responsible executive or risk assessor will want to keep this reference by their side while planning, conducting, or using any risk assessment.” – Gil Oakley, Retired, Institute of Nuclear Power Operations
At over 400 pages, this book is robust in its content of conducting a physical risk assessment on critical infrastructure. The author, Ernie Hayden has extensive experience in protecting critical infrastructure and has generously shared his years’ of experience gained from his Chief Information Security Officer (CISO) roles for the Port of Seattle, Seattle City Light, and as the Managing Principal of Critical Infrastructure Protection for Verizon. With widely reported eroding infrastructure within the US, this book is not only timely, but critically needed. But Ernie does not stop at US borders, he also provides insight in assessing risk to critical infrastructure located in Canada, the UK as well as many other countries.The book’s nine chapters are divided into two parts. Part I covers the background of critical infrastructure, risk management and the process of assessing risk. Part II walks the reader through conducting an effective risk assessment on critical infrastructure. The crown jewel in Ernie’s book is the sample risk assessment report provided as an Appendix. Here you can see the application of the lessons, guidance, and examples seeded throughout the book.
The book provides several great diagrams on the four dimensions of interdependent infrastructure cautioning the reader to not only assess risk on their specific infrastructure but consider the risk introduced by infrastructures they may be dependent. The level of detail provided even includes the types of tools one would need to perform a physical risk assessment of critical infrastructure. One could easily build a toolkit from the examples provided.
What I particularly like about this book is how self-contained it is in its knowledge of statutes, approaches, resources, and recommendations. You need not look elsewhere for guidance in conducting infrastructure risk assessments. Readers will have no ambiguity about what critical infrastructure is as Ernie provides ample definitions and examples of critical infrastructure. Ernie grounds us in the evolution of critical infrastructure directives, regulations, and laws, walking us through the evolution of the regulatory landscape. When it comes time to perform an assessment, the book walks you through the pre-assessment, on-site observations, writing a final report, and remediation strategies.
Each chapter provides questions for further thought and discussion for the stimulation of critical thinking. Readers will find the book well cited and easy to read. It becomes clear to the reader that the author has performed extensive critical infrastructure risk assessments by the level of detail provided that only an outlier would have. This book is a practitioner’s guide that anyone involved in managing, securing, or operating critical infrastructure would find invaluable. The book’s title “The Definitive Threat Identification and Threat Reduction Handbook” is no boast as this book lives up to its title. – Tari Schreider, C|CISO, CRISC, MCRP, Cybersecurity Program Strategist, Author & Instructor
Critical Infrastructure Risk Assessment:
The Definitive Threat Identification and Threat Reduction Handbook
by Ernie Hayden, MIPM, CISSP, CEH, GICSP(Gold), PSP
ASIS International 2021 Book of the Year!
“Critical Infrastructure Risk Assessment is the culmination of author Ernie Hayden’s decades of experience assessing and protecting the can’t-fail organizations responsible for national security and public safety,” said Dr. Jennifer Hesterman, chair of the ASIS Book of the Year committee. “As threats to critical infrastructure abound and evolve, risks must be continuously evaluated and security planning and activities tailored accordingly. This extremely well-written and easy-to-digest book is mandatory reading for everyone working in a critical infrastructure sector, from seasoned managers to new employees on the front lines.”
WHAT DEVASTATING THREATS DOES YOUR CRITICAL FACILITY FACE? WHAT CAN YOU DO TO ADDRESS THOSE RISKS?
Critical Infrastructure Risk Assessment is your hands-on, step-by-step guide to understanding, prioritizing, and mitigating, risk. Ernie Hayden guides you with tools, examples, processes plus a real-world example risk assessment report. You will also learn what constitutes critical infrastructure and risk, and you will be guided in risk assessment of any complex facility.
This handbook is for junior and senior personnel alike. Whether you’re a consultant, plant manager, corporate risk manager, engineer, or student, read this book before you jump into your first technical assignment!
CRITICAL INFRASTRUCTURE RISK ASSESSMENT WILL GUIDE YOU TO:
Understand Risk, Risk Management, and Risk Assessment.
Identify and reduce threat in the critical infrastructure sector
Prepare for your site Risk Assessment, and navigate from pre-visit through the final report.
Balance Risk Assessment activities including Observations and Inspections.
Weigh Critical, High, Medium, and Low Risk for your assessment findings.
Perform Interviews and Material Condition Inspections as part of the Risk Assessment Process.
Draw practical lessons from a real-world example risk assessment report.
Motivate and educate engineers to perform large-facility risk assessments.
Capture your risk assessment findings and strengths in a realistic, usable risk assessment report.
Make decisions and do the right thing when it comes to conducting an effective Risk Assessment of any large, complex facility.
WHAT YOUR COLLEAGUES ARE SAYING ABOUT CRITICAL INFRASTRUCTURE RISK ASSESSMENT
“Critical Infrastructure Risk Assessment is an invaluable reference for assessors, business managers, operators, and planners. As a result of the rapidly evolving geopolitical situation with nations and other actors motivated to compete and fight across multiple domains, the book could not come at a better time.”. – Chuck Benson, Director of IoT Risk Mitigation Strategy, University of Washington
“What I particularly like about this book is how organized it is. It’s easy to read and you gain knowledge of statutes, approaches, resources, and recommendations. You need not look elsewhere for guidance in conducting infrastructure risk assessments. This book is also practitioner’s guide that anyone involved in managing, securing, or operating critical infrastructure would find invaluable. Given these points, the book’s subtitle, “Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook” is no boast as this book lives up to its title.” – Tari Schreider, C|CISO, CRISC, MCRP, Cybersecurity Program Strategist, Author & Instructor
“Ernie Hayden has been in the industry for many years and offers a lot of practical advice in this book. The book is laid out in an easy-to-consume manner. For instance, it starts with foundational information and proceeds to detail the assessment process from start to finish. This book is also a great reference for the facility manager, plant manager or consultant.” – Matt B., CISSP
“Ernie Hayden has provided an extraordinary work that goes beyond its title. He addresses Risk Assessment for Critical Infrastructure, with all its elements: threat identification, vulnerability identification, and impact. But more than an academic exercise, Mr. Hayden has taken years of experience as a risk assessor, and provides a handbook that will be invaluable to both the novice assessor, the executive who has been charged with an assignment to have a risk assessment completed, and the seasoned assessor.” – Matt Lampe, Partner, Fortium Partners
“This handbook was written for anyone involved in critical infrastructure risk assessment. Ernie Hayden also guides you through the quagmire of complex terms and essential concepts to gain a clear understanding of critical infrastructure and risk assessment. The responsible executive or risk assessor will want to keep this reference by their side while planning, conducting, or using any risk assessment.” – Gil Oakley, Retired, Institute of Nuclear Power Operations
As a manager or engineer have you ever been assigned a task to perform a risk assessment of one of your facilities or plant systems? What if you are an insurance inspector or corporate auditor? Do you know how to prepare yourself for the inspection? Once you decide what to look for, do you know how to write your report?
This is a handbook for junior and senior personnel alike on what constitutes critical infrastructure and risk. It offers guides to the risk assessor on preparation, performance, and documentation of a risk assessment of a complex facility. This is a definite “must read” for consultants, plant managers, corporate risk managers, junior and senior engineers, and university students before they jump into their first technical assignment.
At over 400 pages, this book is robust in its content of conducting a physical risk assessment on critical infrastructure. The author, Ernie Hayden has extensive experience in protecting critical infrastructure and has generously shared his years’ of experience gained from his Chief Information Security Officer (CISO) roles for the Port of Seattle, Seattle City Light, and as the Managing Principal of Critical Infrastructure Protection for Verizon. With widely reported eroding infrastructure within the US, this book is not only timely, but critically needed. But Ernie does not stop at US borders, he also provides insight in assessing risk to critical infrastructure located in Canada, the UK as well as many other countries.
In two parts, Ernie’s book educates and provides practical information on how to conduct a thorough risk assessment. Part I covers the background of critical infrastructure, risk management and the process of assessing risk. Part II walks the reader through conducting an effective risk assessment on critical infrastructure. The crown jewel in Ernie’s book is the sample risk assessment report provided as an Appendix. Here you can see the application of the lessons, guidance, and examples seeded throughout the book.
The book provides several great diagrams on the four dimensions of interdependent infrastructure cautioning the reader to not only assess risk on their specific infrastructure but consider the risk introduced by infrastructures they may be dependent. The level of detail provided even includes the types of tools one would need to perform a physical risk assessment of critical infrastructure. One could also easily build a toolkit from the examples provided.
What I particularly like about this book is how self-contained it is. It covers knowledge of statutes, approaches, resources, and recommendations. You need not look elsewhere for guidance in conducting infrastructure risk assessments. Readers will have no ambiguity about what critical infrastructure is as Ernie provides ample definitions and examples of critical infrastructure. Ernie also grounds us in the evolution of critical infrastructure directives, regulations, and laws, walking us through the evolution of the regulatory landscape. When it comes time to perform an assessment, the book walks you through the pre-assessment, on-site observations, writing a final report, and remediation strategies.
Each chapter provides questions for further thought and discussion for the stimulation of critical thinking. Readers will find the book well cited and easy to read. It becomes clear to the reader that the author has performed extensive critical infrastructure risk assessments by the level of detail provided that only an outlier would have. This book is a practitioner’s guide that anyone involved in managing, securing, or operating critical infrastructure would find invaluable. Lastly, the book’s title “The Definitive Threat Identification and Threat Reduction Handbook” is no boast as this book lives up to its title. – Tari Schreider, C|CISO, CRISC, MCRP, Cybersecurity Program Strategist, Author & Instructor.
September, 2020.
382 pages including comprehensive index and real-world example risk assessment report.
Print – ISBN: 978-1-944480-71-4
EPUB ISBN – 978-1-944480-72-1
WEB PDF ISBN – 978-1-944480-73-8
About the Author
Ernie Hayden is a highly experienced and seasoned technical consultant, author, speaker, strategist, and thought-leader with extensive experience in the critical infrastructure protection/security domain, industrial controls security, cybercrime, cyberwarfare, and physical security areas. His primary emphasis is on offering expert advice and commentary on performing risk assessments of industrial controls, energy supply, and chemical/oil/gas/electric grid security, with special expertise on CIP-014-2 – Physical Security of Substations, and risks of commercial drones to critical infrastructure.
Hayden is currently the founder and principal of 443 Consulting, LLC. He has held roles as the Chairman, President, and CEO of MCM Enterprise – an advanced sensor company; industrial control security lead at Jacobs Engineering & Technology and BBA Engineering; executive consultant at Securicon LLC; and information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle), ALSTOM ESCA, and Seattle City Light.
Ernie was a commissioned officer in the US Navy nuclear program and was on the commissioning crew of the USS Texas (CGN-39). For the first 25 years of his civilian life Ernie worked in the commercial nuclear arena as a technical manager at Westinghouse Electric, the Institute of Nuclear Power Operations (INPO), the Trojan Nuclear Plant, and the Electric Power Research Institute (EPRI).
Ernie is an accomplished writer and frequent author of blogs, opinion pieces, and white papers. He is an invited columnist for the “Ask the Experts” discussions on TechTarget-SearchSecurity. Other thought-leadership articles have included authoring a chapter on “Cybercrime’s Impact on Information Security,” in the Oxford University Press Cybercrime and Security Legal Series and several articles in Information Security Magazine including his original research on data lifecycle security and an article on data breaches in the same publication. Hayden has been quoted in DarkReading.com, the Boston Globe, Symantec Blog, and other major media outlets.
Ernie is a very active contributor in global security forums. He is currently a member of the European Union Network and Information Security Agency (ENISA) Stakeholder Board on Industrial Controls Security and was an invited contributor to the Caspian Strategy Institute (Hazar) (Turkey). He has been an instructor, curriculum developer, and advisor for the University of Washington Information System Security Certificate program in Seattle. Additionally, Ernie has been a contract instructor for the Cyberterrorism Defense and Analysis Center, sponsored by the U.S. Department of Homeland Security.
Contents
CONTENTS
WHAT THEY’RE SAYING ABOUT CRITICAL INFRASTRUCTURE RISK ASSESSMENT iii
DEDICATION AND ACKNOWLEDGEMENTS v
The Genesis v
Dedications v
Acknowledgements vi
Foreword by Kirk Bailey vii
Foreword by Peter Gregory xi
CONTENTS xv
Introduction 1
“Oh, Crap!” 1
In this chapter you will discover: 2
Who Should Read This Book? 3
What Risk? 4
What is a Risk Assessment? 5
The Risk Assessment Flow Chart 6
Your Job 8
REFERENCES 8
PART I FOUNDATIONS 9
Chapter 1 Just What is Critical Infrastructure? 11
1.1 What is Critical Infrastructure? 12
1.2 Critical Infrastructure Conceptual Development – United States 17
1.2.1 Mid-1990’s – Executive Order 13010 18
1.2.2 1998 – Presidential Decision Directive (PDD) 63 22
1.2.3 2001 (Post 9/11) Executive Order 13228 25
1.2.4 2001 (Post 9/11) USA PATRIOT Act 27
1.2.5 2002 National Strategy for Homeland Security 28
1.2.6 2003 National Strategy for Physical Infrastructure Protection 30
1.2.7 2003 Homeland Security Presidential Directive (HSPD-7) 32
1.2.8 2013 Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience (PPD-21) 32
1.3 International Perspectives on Critical Infrastructure 35
1.3.1 United Kingdom 36
1.3.2 Australia 39
1.3.3 New Zealand 41
1.3.4 European Union 42
1.3.5 Germany 45
1.3.6 Netherlands 47
1.3.7 Japan 48
1.4 Critical Infrastructure – A Missing Sector 50
1.5 Critical Infrastructure Interdependencies 52
1.5.1 Seattle Tacoma Airport Oil Pipeline Interdependencies 53
1.5.2 Critical Infrastructure Interdependencies with Orbiting Satellites 54
1.5.3 The Expansive Nature of Interdependencies and Critical Infrastructure 55
1.6 Conclusion 58
1.7 Questions for Further Thought and Discussion 58
REFERENCES 60
Chapter 2 Risk and Risk Management 65
2.1 What is Risk? 66
2.1.1 Threat 67
2.1.2 Vulnerability 74
2.1.3 Probability 75
2.1.4 Consequences or Impact 75
2.1.5 Nuances of Risk 76
2.1.6 Risk Appetite and Tolerance 79
2.1.7 Risk Velocity 81
2.2 Risk Management 81
2.2.1 Risk Management Principles 82
2.2.2 Addressing Risk 83
2.2.3 Risk Management Process 84
2.2.4 Risk Management Focus – Component or System 86
2.2.5 Risk Management Focus – Defensive and Offensive 89
2.2.6 Risk Management Focus – Checklist Approach 90
2.2.7 Risk Management – Convenience vs Liability or Risk 91
2.2.8 Risk Management – Summary Guidance 94
2.2 The Next Chapter – Risk Assessment 95
2.3 Questions for Further Thought and Discussion 95
REFERENCES 97
Chapter 3 Risk Assessment 99
In this chapter you will: 99
3.1 Definitions of Risk Assessment 100
3.2 Assessment Foundational Principles, Scope, and Applicability 103
3.3 Application of Risk Assessments 104
3.4 Risk Assessment Techniques 105
3.4.1 Ad-hoc Risk Assessment 105
3.4.2 Deductive Risk Assessment 106
3.4.3 Inductive Risk Assessment 107
3.4.4 Targeted Risk Assessment 107
3.5 Assessment Approaches – Qualitative vs Quantitative 107
3.6 Dynamic Risk Assessment 108
3.7 Difference Between Assessment and Audit 110
3.8 Assessment Models 112
3.8.1 ISO 31000 112
3.8.2 NIST SP 800-30, R1 – Guide for Conducting Risk Assessments 114
3.8.3 NIST SP 800-30, R0 – Risk Management Guide for Information Technology Systems 116
3.8.4 Cyber Security Assessments of Industrial Control Systems – Good Practice Guide 123
3.8.5 Hybrid Risk Assessment Flow Chart 125
3.9 Assessment Process 127
3.9.1 Pre-assessment/Planning 127
3.9.2 Conducting the Assessment 129
3.9.3 Reporting 130
3.10 Questions for Further Thought and Discussion 131
REFERENCES 132
PART II HANDBOOK 137
Chapter 4 Pre-Assessment 139
In this chapter you will discover: 139
4.1 Planning 141
4.2 Identify Team Members 142
4.3 Identify Assessment Goals 144
4.4 Collect Artifacts, Templates, Preliminary Documentation 145
4.5 Define the Assessment Plan 146
4.6 Hold the Initial Team Meeting 147
4.7 Client Kick Off Call 149
4.8 Data Requests to Client 152
4.9 Packing & Travel Planning 154
4.10 Devising the Work Plan 159
4.10.1 Example Site Risk Assessment Visit Plan 160
4.10.2 Preparing Your Steno Pad 165
4.10.3 Pre-Checking Control System Assets for Vulnerabilities 167
4.11 Excited to Start the Assessment 169
REFERENCES 170
Chapter 5 The Power of the Observation 171
In this chapter you will discover: 172
5.1 An Introduction to the History of Observations 174
5.2 Just What is an “Observation?” 177
5.2 Observation Format 178
5.3 Critical Thinking 182
5.3.1 Asking “Why?” 183
5.3.2 Communicating Your Observations 184
5.3.3 Raising Issues 184
5.4 Unintended Influence of the Observation on Performance of Work 185
5.5 Writing the Observation 186
5.6 The Power of the Observation 186
REFERENCES 187
Chapter 6 On Site 189
In this chapter you will discover: 190
6.1 On Site Arrival – Entrance Meeting 192
6.2 Example Site Schedule and Activities 193
6.3 Conducting Interviews 195
6.4 Photographs 197
6.5 Site Facility Inspections 197
6.5.1 Tools of the Inspection Trade 199
6.5.2 Inspection Data Collection 201
6.5.3 Tour Planning 205
6.5.4 “Working a Room” 208
6.6 Technical Reviews 211
6.7 Daily Team Meetings 221
6.8 Development of Strengths & Weaknesses 223
6.9 Site Exit Meeting 223
Questions to Consider 224
Chapter 7 The Final Report 227
In this chapter you will discover: 228
7.1 Back in the Home Office – Compiling the Information 230
7.2 Important Terms of Art 231
7.2.1 Weakness 231
7.2.2 Strengths 232
7.2.3 Findings 232
7.2.4 Informational Observations 233
7.2.5 Good Practice 233
7.2.6 More About Findings 234
7.3 Identifying the Risk Level of Findings 235
7.3.1 Impact 236
7.3.2 Probability or Likelihood 239
7.3.3 Risk Assessment Matrix Development 239
7.4 Preparing the Draft Report 241
7.5 Report Review Process 243
7.6 The Future of the Report 245
REFERENCES 246
Chapter 8 Remediation 247
In this chapter you will discover: 248
8.1 Rule #1 – Don’t Shelve the Report and Findings! 249
8.2 Remember Your Objective 249
8.3 Assign a Professional Project Manager 249
8.4 Review the Entire Risk Assessment Report 251
8.4.1 Recognize the Strengths! 255
8.4.2 Assign Unique Numbers to Each Finding 255
8.5 Build the Remediation Team 255
8.6 Kick Off Meeting 256
8.7 Monthly Meetings (or More Frequent) 259
8.8 Addressing the Findings 259
8.9 Costs and Budgeting 261
8.10 Postmortem/After-Action Review 263
8.11 Questions for Consideration 264
REFERENCES 265
CHAPTER 9 Continuing the Journey 267
“Hey Boss, I know how to do a Risk Assessment!” 267
Your Job 270
Thank You! 270
APPENDIX A EXAMPLE RISK ASSESSMENT REPORT 271
ABOUT THE AUTHOR 332
Foreword by Kirk Bailey
Ernie Hayden knows what he’s talking about. I’m not alone in this opinion. There is a long list of his colleagues and appreciative clients in both the public and private sectors who will also salute his expertise and wisdom. If you’re a professional facing the challenge of assessing operational and institutional risks for a client or employer, you should keep this book handy – it’s a heck of a reference and guide. You should use it and you can trust it.
Ernie and I started working closely together not long after the horrible events of 9/11. We had crossed paths professionally a few years earlier, but in 2002 we found ourselves in mutually challenging jobs. I had just been hired as the first ever chief information security officer (CISO) for the City of Seattle and Ernie was hired as the first ever CISO for the Port of Seattle. We both found ourselves immediately overwhelmed with significant risk management challenges exacerbated by limited budgets, lack of useful tools, growing regulation and compliance issues and the typical political realities found in local government operations. Seeking each other out for help was a necessity.
Seattle and the Port of Seattle own and operate significant essential services, facilities, and infrastructure critical to the Pacific Northwest region and the country in general. They represent the foundation of an economic engine for Washington State and the larger regional economy. The scope and size of the critical infrastructure integral to the City’s and Port’s operations is vast.
When I came on board as Seattle’s CISO, local governments across the country were in hyper-reaction mode. Everyone was concerned about what they needed to do to prevent, prepare, and respond to potential terrorist attacks. There was high anxiety about protecting human life, iconic sites, and critical infrastructure. The Federal government was in overdrive trying to build threat information sharing systems and risk mitigation programs. I was working frantically to assess the cybersecurity-related threats and associated risks – especially as it related to critical infrastructure, essential services, and first responder operations. At the Port of Seattle, Ernie was up to his neck with the same scramble.
During the next few years we dug in and learned plenty about how to best assess and manage potent and complex risks. Early on, we knew that simply following government-issued security and operational checklists was not the answer considering the budget and resource issues in play. We forged a new risk management approach that took into consideration some tough realities.
The good news is that we both achieved some successes. Recalling those days, it’s easy for me to say that a primary reason for those successes was Ernie’s passion and energy for his work. He used creative approaches to educate his employer about risk issues and kept the focus on the highest priorities as well as what was achievable. His disciplined approach to problem solving and pragmatic thinking, his constant thirst for learning everything on every related subject, his professional connections, his common sense and sense of humor were a huge lift for our professional workloads and worries.
In 2005, I became the University of Washington’s first ever CISO. I spent the last 15 years of my career working to build the University’s cybersecurity program in a challenging and complex environment. Throughout those years I continued to rely on Ernie’s experience and wisdom. Having Ernie as colleague has been like having a private professional consultant on staff all the time.
Now Ernie has written this book. That’s a very good thing for anyone who will be tasked to perform professional risk assessments. Identifying and understanding risks is not an easy exercise; it is more of a craft than a practice. It requires more common sense, clear thinking, and a touch of imagination to do well. Blindly following checklists in manuals or requirement documents won’t cut it. It requires a methodology and mindset that can bring clarity and wisdom into the final report. That’s what Ernie is sharing in the following pages.
Kirk Bailey
CISO (retired)
University of Washington
Seattle, Washington
Foreword by Peter Gregory
I first met Ernie Hayden in 2003 just as I stepped off the stage at the SecureWorld Expo conference in Seattle. Ernie attended my talk and came up to me afterward. He held up a book in his hands and exclaimed, “I’ve read your book!” referring to the first edition of CISSP For Dummies. That meeting would prove to be the start of a going-on-eighteen-years friendship.
Ernie was one of the early instigators of The Agora, a quarterly conclave of information security professionals in the Pacific Northwest. I attended as often as I could, which was usually 2-3 times each year. Ernie was always there, and I always made it a point to speak with him. While we didn’t get into many “deep dive” conversations, I knew right away that he was well learned in information security. As the CISO for the Port of Seattle (which included the shipping port, the cruise ship port, and the airport), Ernie was in the crucible of risk management for multiple high-profile critical infrastructure facilities that were very “out there” and visible to all.
Ernie and I, along with Dave Cullinane and Michael Ray of Washington Mutual Bank (WAMU), Kirk Bailey of the City of Seattle, Barb Padagas of Starbucks, Bruce Lobree of Costco, Ravila White of drugstore.com, and a few others, were co-founders of the Pacific CISO Forum, a peer roundtable of information security leaders in Seattle and beyond. Ernie was as involved as anyone there, and sometimes hosted our quarterly meetings at one of the port facilities.
Ernie was also involved in regional critical infrastructure disaster and attack simulation events. This is all to say that Ernie is a doer, and his community involvement is but one aspect of his professional testimony as a man who cares about his community and the people who live in it.
From then until now, Ernie has held a variety of positions in critical infrastructure protection, and this has taken him around the world where his services were needed. He has become one of the world’s premier experts on the topic. For him to write this book is a gracious and generous gift to the profession as a whole. This book is a treasure for the profession and will serve to advance the state of the art of critical infrastructure protection and the professional growth of hundreds or even thousands of others in the profession.
This book is a well-organized, step-by-step, how-to treatise on risk assessment and risk management for critical infrastructure. This book is a high-quality, high-density, low-noise reference to help any professional excel at big-picture or detail-oriented risk management and risk assessment work. It explains the concepts of risk, risk assessment, and the steps for performing a proper risk assessment found in few other texts. I especially appreciate the chapter on observation that instructs the reader how to perform various types of evidence gathering and the value of tech technique. While this book is highly detailed, each chapter contains numerous references where the reader can go for even more in-depth information on each chapter’s topics. The book’s appendix contains a detailed, lengthy sample risk assessment report that puts many of the topics in the book to use.
In my experience as an executive consultant and having served dozens of companies and agencies over the past six years, I can confidently say that half or more of all organizations practice little or no risk management at all. As the need for risk management becomes more apparent in organizations, this book should be in the library of every risk manager as well as every consultant performing risk assessments of critical infrastructure facilities – not on the shelf, but on the desk as a regular desk reference.
Peter Gregory
CISM, CISA, CIPM, CRISC, CISSP, CCSK, CCISO, QSA
Seattle, Washington
Additional information
Weight
2 lbs
Excerpt From Chapter 3, Risk Assessment: Difference Between Assessment and Audit
3.7 Difference Between Assessment and Audit
It is becoming more common that an industrial customer is increasing their concern for and awareness of cyber and physical security threats to their factories, large buildings, industrial control systems (ICS) and enterprise IT – especially in light of attacks such as WannaCry, Petya, etc. One of the customer’s initial actions is to evaluate their options for system security and they often ask for a “risk or security inspection.” These “inspections” are often viewed as an “audit” by the customer; however, the customer is better off with an “assessment” instead.
What is the difference between an “audit” and an “assessment?”
Well, the differences are pretty substantial, and each will yield a different level of scrutiny and different sets of actionable results. Also, each will give the management a different sense of how serious their risk is – or is not.
If you look at the differences between an audit and an assessment, consider the following:
The purpose of an audit is to compare current circumstances against a specific standard or set of standards and find specific gaps where the standard is not being met or achieved. An audit has the inspector comparing the customer’s activities against a particular list of requirements in an industry standard. Basically, the audit is identifying whether or not the customer is “complying” with these requirements, but not necessarily exceeding. The problem with this approach is a) the customer needs to identify the standard they expect to follow, and b) the auditor needs to have knowledge and capability to identify if the standard requirement is truly being satisfied or not. Unfortunately, the customer may not have any idea as to the applicable standards and the auditor will tend to not look beyond the standard’s requirements for areas needing attention. The audit is looking for “minimum achievement.”
Of note, it has been my own experience where those industrial customers outside the North American Electric Power and Transmission industry and oil/gas industries normally don’t know what “standard” they should “comply.” Therefore, the audit may not even be meaningful since the customer has never been working towards a standard anyway.
Assessments are about understanding the customer’s security posture. The goal of the assessment is to allow for the inspectors to use their experience and practical knowledge in conjunction with other recognized standards/guidelines for cyber and physical risk to look for ways the customer can achieve a higher level of performance and not simply meet minimum compliance. The assessment is not a strictly pass-fail approach but instead intended to give the customer a sense of the current “risk reality.” The assessment will also normally provide different gradients of risk to the facility and its operations. For instance, an assessment may categorize the findings as Critical Impact, High Impact, Medium Impact, or Low Impact. The assessment should also nominally provide feedback to the customer on identified strengths as well as informational findings that are outside the scope of the risk assessment. Basically, the assessment will give the customer a list of actions to take to mitigate issues and achieve a more ideal situation rather than simply satisfy a minimum requirement in a standard.
Industry standards can be used or cited during an assessment; however, for an assessment, the experience of the assessor will also be able to identify the quality of achievement of a standard. This is beneficial to the customer so they can gauge the amount of effort and resources necessary to correct a problem.
Do I use references when performing an assessment? Of course, audits are against a specific standard or set of standards – but that doesn’t mean to imply that assessments are not permitted to use any type of standards or guidelines. On the contrary, the more knowledge and experience an assessor has in the area of risk and cyber and physical controls, the better off for the customer. Therefore, in my role as an assessor I still often rely on selected documents to help me with my assessment performance depending upon the client, the facility, the reasons for the risk assessments, the regulatory environment, etc. We will discuss this more in later chapters.
Kip Boyle reminded me of a difference between audits and assessments: audits often become adversarial when conducted by outsiders which in turn encourages insiders to withhold or obscure the real situation if they feel threatened. This psychology is useful information for the executive management when choosing between an audit and assessment.
“At over 400 pages, this book is robust in its content of conducting a physical risk assessment on critical infrastructure. The author, Ernie Hayden has extensive experience in protecting critical infrastructure and has generously shared his years’ of experience gained from his Chief Information Security Officer (CISO) roles for the Port of Seattle, Seattle City Light, and as the Managing Principal of Critical Infrastructure Protection for Verizon. With widely reported eroding infrastructure within the US, this book is not only timely, but critically needed. But Ernie does not stop at US borders, he also provides insight in assessing risk to critical infrastructure located in Canada, the UK as well as many other countries.
“The book’s nine chapters are divided into two parts. Part I covers the background of critical infrastructure, risk management and the process of assessing risk. Part II walks the reader through conducting an effective risk assessment on critical infrastructure. The crown jewel in Ernie’s book is the sample risk assessment report provided as an Appendix. Here you can see the application of the lessons, guidance, and examples seeded throughout the book.
“The book provides several great diagrams on the four dimensions of interdependent infrastructure cautioning the reader to not only assess risk on their specific infrastructure but consider the risk introduced by infrastructures they may be dependent. The level of detail provided even includes the types of tools one would need to perform a physical risk assessment of critical infrastructure. One could easily build a toolkit from the examples provided.
“What I particularly like about this book is how self-contained it is in its knowledge of statutes, approaches, resources, and recommendations. You need not look elsewhere for guidance in conducting infrastructure risk assessments. Readers will have no ambiguity about what critical infrastructure is as Ernie provides ample definitions and examples of critical infrastructure. Ernie grounds us in the evolution of critical infrastructure directives, regulations, and laws, walking us through the evolution of the regulatory landscape. When it comes time to perform an assessment, the book walks you through the pre-assessment, on-site observations, writing a final report, and remediation strategies.
“Each chapter provides questions for further thought and discussion for the stimulation of critical thinking. Readers will find the book well cited and easy to read. It becomes clear to the reader that the author has performed extensive critical infrastructure risk assessments by the level of detail provided that only an outlier would have. This book is a practitioner’s guide that anyone involved in managing, securing, or operating critical infrastructure would find invaluable. The book’s subtitle “The Definitive Threat Identification and Threat Reduction Handbook” is no boast as this book lives up to its title.” – Tari Schreider, C|CISO, CRISC, MCRP, Cybersecurity Program Strategist, Author & Instructor
“Critical Infrastructure Risk Assessment is an invaluable reference for assessors, business managers, operators, and planners. And given a rapidly evolving geopolitical situation with nations and other actors motivated to compete and fight across multiple domains, the book could not come at a better time.” – Chuck Benson, Director of IoT Risk Mitigation Strategy, University of Washington
“Ernie Hayden has been in the industry for many years and offers a lot of practical advice in this book. The book is laid out in an easy-to-consume manner; it starts with foundational information and proceeds to detail the assessment process from start to finish. This book is a great reference for the facility manager, plant manager or consultant.” – Matt B., CISSP
“Ernie Hayden has provided an extraordinary work that goes beyond its title, addressing Risk Assessment for Critical Infrastructure, with all its elements: threat identification, vulnerability identification, and impact. But more than an academic exercise, Mr. Hayden has taken years of experience as a risk assessor, and provides a handbook that will be invaluable to both the novice assessor, the executive who has been charged with an assignment to have a risk assessment completed, and the seasoned assessor.” – Matt Lampe, Partner, Fortium Partners
“This handbook was written for anyone involved in critical infrastructure risk assessment. Ernie Hayden guides you through the quagmire of complex terms and essential concepts to gain a clear understanding of critical infrastructure and risk assessment. The responsible executive or risk assessor will want to keep this reference by their side while planning, conducting, or using any risk assessment.” – Gil Oakley, Retired, Institute of Nuclear Power Operations
Ernie Hayden has Credibility
“A lot of people talk about risk management and a lot of people talk about critical infrastructure, but very few people can talk about both of these densely packed subjects with as much credibility and enthusiasm as Ernie Hayden. I’ve been deep in the bowels of critical infrastructure as Chief Security Officer at NERC and Deputy Undersecretary for Cybersecurity at DHS, and have read dozens of books on both subjects, but Critical Infrastructure Risk Assessment is one of the most thorough books on conducting risk assessments I’ve seen. Anyone in the risk assessment business will dog-ear this handbook with use.
“Critical Infrastructure Risk Assessment is not only a historical refresher on national and international critical infrastructure and a broad discussion of risk, but a how-to model for identifying dependencies, observing, and methodically performing critical infrastructure risk assessments. It is well-documented and has a number of useful examples that provide the right amount of context for understanding particular items in detail. This is one recipe book you want in your library.” – Mark Weatherford