CONTENTS
WHAT THEY’RE SAYING ABOUT CRITICAL INFRASTRUCTURE RISK ASSESSMENT iii
DEDICATION AND ACKNOWLEDGEMENTS v
The Genesis v
Dedications v
Acknowledgements vi
Foreword by Kirk Bailey vii
Foreword by Peter Gregory xi
CONTENTS xv
Introduction 1
“Oh, Crap!” 1
In this chapter you will discover: 2
Who Should Read This Book? 3
What Risk? 4
What is a Risk Assessment? 5
The Risk Assessment Flow Chart 6
Your Job 8
REFERENCES 8
PART I FOUNDATIONS 9
Chapter 1 Just What is Critical Infrastructure? 11
1.1 What is Critical Infrastructure? 12
1.2 Critical Infrastructure Conceptual Development – United States 17
1.2.1 Mid-1990’s – Executive Order 13010 18
1.2.2 1998 – Presidential Decision Directive (PDD) 63 22
1.2.3 2001 (Post 9/11) Executive Order 13228 25
1.2.4 2001 (Post 9/11) USA PATRIOT Act 27
1.2.5 2002 National Strategy for Homeland Security 28
1.2.6 2003 National Strategy for Physical Infrastructure Protection 30
1.2.7 2003 Homeland Security Presidential Directive (HSPD-7) 32
1.2.8 2013 Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience (PPD-21) 32
1.3 International Perspectives on Critical Infrastructure 35
1.3.1 United Kingdom 36
1.3.2 Australia 39
1.3.3 New Zealand 41
1.3.4 European Union 42
1.3.5 Germany 45
1.3.6 Netherlands 47
1.3.7 Japan 48
1.4 Critical Infrastructure – A Missing Sector 50
1.5 Critical Infrastructure Interdependencies 52
1.5.1 Seattle Tacoma Airport Oil Pipeline Interdependencies 53
1.5.2 Critical Infrastructure Interdependencies with Orbiting Satellites 54
1.5.3 The Expansive Nature of Interdependencies and Critical Infrastructure 55
1.6 Conclusion 58
1.7 Questions for Further Thought and Discussion 58
REFERENCES 60
Chapter 2 Risk and Risk Management 65
2.1 What is Risk? 66
2.1.1 Threat 67
2.1.2 Vulnerability 74
2.1.3 Probability 75
2.1.4 Consequences or Impact 75
2.1.5 Nuances of Risk 76
2.1.6 Risk Appetite and Tolerance 79
2.1.7 Risk Velocity 81
2.2 Risk Management 81
2.2.1 Risk Management Principles 82
2.2.2 Addressing Risk 83
2.2.3 Risk Management Process 84
2.2.4 Risk Management Focus – Component or System 86
2.2.5 Risk Management Focus – Defensive and Offensive 89
2.2.6 Risk Management Focus – Checklist Approach 90
2.2.7 Risk Management – Convenience vs Liability or Risk 91
2.2.8 Risk Management – Summary Guidance 94
2.2 The Next Chapter – Risk Assessment 95
2.3 Questions for Further Thought and Discussion 95
REFERENCES 97
Chapter 3 Risk Assessment 99
In this chapter you will: 99
3.1 Definitions of Risk Assessment 100
3.2 Assessment Foundational Principles, Scope, and Applicability 103
3.3 Application of Risk Assessments 104
3.4 Risk Assessment Techniques 105
3.4.1 Ad-hoc Risk Assessment 105
3.4.2 Deductive Risk Assessment 106
3.4.3 Inductive Risk Assessment 107
3.4.4 Targeted Risk Assessment 107
3.5 Assessment Approaches – Qualitative vs Quantitative 107
3.6 Dynamic Risk Assessment 108
3.7 Difference Between Assessment and Audit 110
3.8 Assessment Models 112
3.8.1 ISO 31000 112
3.8.2 NIST SP 800-30, R1 – Guide for Conducting Risk Assessments 114
3.8.3 NIST SP 800-30, R0 – Risk Management Guide for Information Technology Systems 116
3.8.4 Cyber Security Assessments of Industrial Control Systems – Good Practice Guide 123
3.8.5 Hybrid Risk Assessment Flow Chart 125
3.9 Assessment Process 127
3.9.1 Pre-assessment/Planning 127
3.9.2 Conducting the Assessment 129
3.9.3 Reporting 130
3.10 Questions for Further Thought and Discussion 131
REFERENCES 132
PART II HANDBOOK 137
Chapter 4 Pre-Assessment 139
In this chapter you will discover: 139
4.1 Planning 141
4.2 Identify Team Members 142
4.3 Identify Assessment Goals 144
4.4 Collect Artifacts, Templates, Preliminary Documentation 145
4.5 Define the Assessment Plan 146
4.6 Hold the Initial Team Meeting 147
4.7 Client Kick Off Call 149
4.8 Data Requests to Client 152
4.9 Packing & Travel Planning 154
4.10 Devising the Work Plan 159
4.10.1 Example Site Risk Assessment Visit Plan 160
4.10.2 Preparing Your Steno Pad 165
4.10.3 Pre-Checking Control System Assets for Vulnerabilities 167
4.11 Excited to Start the Assessment 169
REFERENCES 170
Chapter 5 The Power of the Observation 171
In this chapter you will discover: 172
5.1 An Introduction to the History of Observations 174
5.2 Just What is an “Observation?” 177
5.2 Observation Format 178
5.3 Critical Thinking 182
5.3.1 Asking “Why?” 183
5.3.2 Communicating Your Observations 184
5.3.3 Raising Issues 184
5.4 Unintended Influence of the Observation on Performance of Work 185
5.5 Writing the Observation 186
5.6 The Power of the Observation 186
REFERENCES 187
Chapter 6 On Site 189
In this chapter you will discover: 190
6.1 On Site Arrival – Entrance Meeting 192
6.2 Example Site Schedule and Activities 193
6.3 Conducting Interviews 195
6.4 Photographs 197
6.5 Site Facility Inspections 197
6.5.1 Tools of the Inspection Trade 199
6.5.2 Inspection Data Collection 201
6.5.3 Tour Planning 205
6.5.4 “Working a Room” 208
6.6 Technical Reviews 211
6.7 Daily Team Meetings 221
6.8 Development of Strengths & Weaknesses 223
6.9 Site Exit Meeting 223
Questions to Consider 224
Chapter 7 The Final Report 227
In this chapter you will discover: 228
7.1 Back in the Home Office – Compiling the Information 230
7.2 Important Terms of Art 231
7.2.1 Weakness 231
7.2.2 Strengths 232
7.2.3 Findings 232
7.2.4 Informational Observations 233
7.2.5 Good Practice 233
7.2.6 More About Findings 234
7.3 Identifying the Risk Level of Findings 235
7.3.1 Impact 236
7.3.2 Probability or Likelihood 239
7.3.3 Risk Assessment Matrix Development 239
7.4 Preparing the Draft Report 241
7.5 Report Review Process 243
7.6 The Future of the Report 245
REFERENCES 246
Chapter 8 Remediation 247
In this chapter you will discover: 248
8.1 Rule #1 – Don’t Shelve the Report and Findings! 249
8.2 Remember Your Objective 249
8.3 Assign a Professional Project Manager 249
8.4 Review the Entire Risk Assessment Report 251
8.4.1 Recognize the Strengths! 255
8.4.2 Assign Unique Numbers to Each Finding 255
8.5 Build the Remediation Team 255
8.6 Kick Off Meeting 256
8.7 Monthly Meetings (or More Frequent) 259
8.8 Addressing the Findings 259
8.9 Costs and Budgeting 261
8.10 Postmortem/After-Action Review 263
8.11 Questions for Consideration 264
REFERENCES 265
CHAPTER 9 Continuing the Journey 267
“Hey Boss, I know how to do a Risk Assessment!” 267
Your Job 270
Thank You! 270
APPENDIX A EXAMPLE RISK ASSESSMENT REPORT 271
ABOUT THE AUTHOR 332

WHAT DEVASTATING THREATS DOES YOUR CRITICAL FACILITY FACE? WHAT CAN YOU DO TO ADDRESS THOSE RISKS?Critical Infrastructure Risk Assessment is your hands-on, step-by-step guide to understanding, prioritizing and mitigating risk. Ernie Hayden guides you with tools, examples, processes plus a real-world example risk assessment report. With Ernie’s guidance, your critical facility will be safer and more secure!You will learn what constitutes critical infrastructure and risk, and you will be guided in preparing, performing, and documenting a risk assessment of any complex facility.This handbook is for junior and senior personnel alike. Whether you’re a consultant, plant manager, corporate risk manager, engineer, or student, read this book before you jump into your first technical assignment!Critical Infrastructure Risk Assessment will guide you to:•Understand Risk, Risk Management, and Risk Assessment.•Navigate your Risk Assessment process from pre-visit through the final report.•Prepare for your site Risk Assessment.•Balance Risk Assessment activities including Observations and Inspections.•Weigh Critical, High, Medium, and Low Risk for your assessment findings.•Perform Interviews and Material Condition Inspections as part of the Risk Assessment Process.•Draw practical lessons from a real-world example risk assessment report.•Motivate and educate engineers on ways to perform large-facility risk assessments.•Capture your risk assessment findings and strengths in a realistic, usable risk assessment report.•Make decisions and do the right thing to conduct an effective Risk Assessment of any large, complex facility.