Critical Infrastructure

Bob Radvanovsky is an active professional in the United States with knowledge in security, risk management, business continuity, disaster recovery planning, and remediation. He has significantly contributed to establishing several certification programs, specifically on the topics of critical infrastructure protection and critical infrastructure assurance. Bob has special interests and knowledge in matters of critical infrastructure, and has published a number of articles and white papers regarding this topic. He has worked with several professional accreditation and educational institutions, specifically on the topics of homeland security and critical infrastructure protection and assurance. Allan McDougall is recognized as a technical expert in the corporate security management domain and has participated in a number of emerging endeavors, including the Strategic Leadership in Government Security and other courses. Within the private sector, his desire to look toward sound and innovative solutions has him involved in efforts to professionalize critical infrastructure protection, including the development of certification level training. He is certified as a Professional in Critical Infrastructure Protection, Certified Master Antiterrorism Specialist, and Certified Information Systems Security Professional. Allan’s primary focus is on the transportation sector, where he works within a number of communities.

Introduction to Critical Infrastructure Assurance and Protection
What Is Critical Infrastructure?
What Is the Private Sector?
What Is the Public Sector?
What Is CIP?
What Is CIA?
What Are Public-Private Partnerships?
Critical Infrastructure Functions
Evolution of Critical Infrastructure
Demand, Capacity, Fragility, and the Emergence of Networks
What Are We Trying to Protect? The Concept of Capacity
Demand: The Reason for Capacity
At the Regional (Small System) Level
Cyberterrorism
Dissolution and Convergence: An Emerging Risk
Marking the Journey
Beyond National Frameworks
Meeting the Dragons on the Map
Who Owns the Treasure?
What Value?
Target Audiences
Applying the NRF to National Response Efforts
How Does the NRF Tie in with Local Activities?
Areas of Potential Risk or Concern
Public-Private Partnerships
What Is a Public-Private Partnership (P)?
The P Spectrum
Establishment of New Capacity
Maintenance of Existing Capacity
Networked User Fees and the Need for Oversight
Other Forms of Public-Private Cooperation and the Erosion of Governance
Balancing Points
The Reinvention of Information Sharing and Intelligence
Data vs Information vs Intelligence
The Importance of Background to Context
Context Affecting Sensitivity
Enter the Cloud
The Cloud as an Amplifier
Clouds and Concealed Conduits
Linking the Trusted Computing Base and User Communities
Barriers to Information Sharing
The Rise of Open Sources
Open-Source Information and Intelligence
An Approach to Information Sharing—The Consequence-Benefit Ratio
Emergency Preparedness and Readiness
The Rise of Core Offices
First Responder
First Responder Classifications
Guideline Classifications
Example: North American Emergency Response Guidebook
Awareness-Level Guidelines
Performance-Level Guidelines
Operational Levels Defined
Level A: Operations Level
Level B: Technician Level
Know Protocols to Secure, Mitigate, and Remove HAZMAT
Additional Protective Measures
Understand the Development of the IAP
Know and Follow Procedures for Protecting a Potential Crime Scene
Know Department Protocols for Medical Response Personnel
National Fire Prevention Association
OSHA Hazardous Waste Operations and Emergency Response
Skilled Support Personnel
Specialist Employee
DOT HAZMAT Classifications
Importance of Implementing an Emergency Response Plan
Security Vulnerability Assessment
What Is a Risk Assessment?
Methods of Assessing Risk
Threat Risk Equations
Comparison of Quantitative vs Qualitative Risk Assessments
Challenges Associated with Assessing Risk
Other Factors to Consider When Assessing Risk
What Is an SVA?
Reasons for Having an SVA
What Is a Threat?
What Is Vulnerability?
Countermeasures
Vulnerability Assessment Framework
Reasons for Using the VAF
Federal Information Systems Control Auditing Manual
General Methodologies of FISCAM Auditing
What Are General Controls?
What Are Application Controls?
Caveats with Using an SVA
How the SVA Is Used
Audience of an SVA
Initial SVA Plan
Necessary Steps of an SVA
Critical Success Factors
VAF Methodology
Initial Steps of the VAF
VAF Step 1: Establish the Organization MEI
VAF Step 2: Gather Data to Identify MEI Vulnerabilities
VAF Step 3: Analyze, Classify, and Prioritize Vulnerabilities
Regulations
The Role of Oversight
The Effect of Globalization
Conventions, Laws, and Regulations
Guidance and Best Practices
Prescriptive vs Performance Based
Impact on Criminal, Administrative, and Civil Law
Potential Abuses of Authority and Credibility
Government vs Industry Self-Regulation
Knowledge Gaps Arising from Performance-Based Regulation
Predictability in Prescriptive Systems: A Systemic Vulnerability
Information Sharing and Analysis Centers
What Is a Critical Infrastructure Asset?
What Is an ISAC?
Advantages of Belonging to an ISAC
Access to ISAC Information
Expanded ISAC Services
Surface Transportation ISAC
Supply Chain ISAC
Public Transit ISAC
American Public Transportation Association
Association of American Railroads
Transportation Technology Center, Inc
Railinc
Water ISAC
Association of State Drinking Water Administrators
Water Environment Research Foundation
Association of Metropolitan Water Agencies
Association of Metropolitan Sewage Agencies
National Association of Water Companies
American Water Works Association
AWWA Research Foundation
Financial Services ISAC
Science Applications International Corporation
Electricity Sector ISAC
Emergency Management and Response ISAC
Information Technology ISAC
National Coordinating Center for Telecommunications
Communications Resource Information Sharing
Government Emergency Telecommunications Service
Telecommunications Service Priority
Shared Resources High Frequency Radio Program
Network Reliability and Interoperability Council
National Security Telecommunications Advisory Committee
Wireless Priority Services
Alerting and Coordination Network
Energy ISAC
Energy Sector Security Consortium
Chemical Sector ISAC
Chemical Transportation Emergency Center (CHEMTREC®)
Healthcare Services ISAC
Highway ISAC
Cargo Theft Information Processing System
American Trucking Associations
HighwayWatch®
Food and Agriculture ISAC
FoodSHIELD
Food Marketing Institute
Multistate ISAC
ISAC Council
Worldwide ISAC
Real Estate ISAC
The Real Estate Roundtable
Research and Educational Networking ISAC
Biotechnology and Pharmaceutical ISAC
Maritime ISAC
Maritime Security Council
Marine Transportation System National Advisory Council
Supervisory Control and Data Acquisition
What Are Control Systems?
Types of Control Systems
Components of Control Systems
Vulnerability Concerns about Control Systems
Adoption of Standardized Technologies with Known Vulnerabilities
Connectivity of Control Systems to Unsecured Networks
Implementation Constraints of Existing Security Technologies
Insecure Connectivity to Control Systems
Publicly Available Information about Control Systems
Control Systems May Be Vulnerable to Attack
Consequences Resulting from Control System Compromises
Wardialing
Wardriving
Warwalking
Threats Resulting from Control System Attacks
Issues in Securing Control Systems
Methods of Securing Control Systems
Technology Research Initiatives of Control Systems
Security Awareness and Information Sharing Initiatives
Process and Security Control Initiatives
Securing Control Systems
Implement Auditing Controls
Develop Policy Management and Control Mechanisms
Control Systems Architecture Development
Segment Networks between Control Systems and Corporate Enterprise
Develop Methodologies for Exception Tracking
Define an Incident Response Plan
Similarities between Sectors
US Computer Emergency Readiness Team CSSP
Control Systems Cyber Security Evaluation Tool (CSET)
SCADA Community Challenges
The Future of SCADA
SCADA Resources
Critical Infrastructure Information
What Is Critical Infrastructure Information?
How Does the Government Interpret CII?
Exemption 3 of the FOIA
Exemption 4 of the FOIA
Section 214 of the Homeland Security Act
Enforcement of Section 214 of the Homeland Security Act
What Does "Sensitive but Unclassified" Mean?
Information Handling Procedures
Freedom of Information Act
Need to Know
"For Official Use Only"
Enforcement of FOUO Information
Reviewing Web Site Content
Export-Controlled Information
Enforcement of Export-Controlled Information
Source Selection Data
Enforcement of Source Selection Data
Privacy Information
Enforcement of Privacy Information
Unclassified Controlled Nuclear Information
Enforcement of UCNI
Critical Energy Infrastructure Information
Enforcement of CEII
Controlled Unclassified Information
Lessons Learned Programs
InfraGard
Sensitive Unclassified Nonsafeguards Information (SUNSI)
Safeguards Information (SGI)
Glossary
Appendix
Index