ASIS Council Resources
ASIS Critical Infrastructure Working Group
This guide was created to serves as a reference for all infrastructure categories and industries. It can assist both the private and public sectors with information relevant to critical infrastructure protection, disaster resilience, and continuity operations. Its conclusions are based on expertise with the nation’s 18 critical infrastructures and key resources from ASIS councils, the U. S. Department of Homeland Security, and academia.
White Paper, 2013
ASIS Utilities Security Council
This 29-page, peer reviewed paper written by security experts in both the public and private sector, describes advancements in comprehensive risk management in critical and high-risk environments, including nuclear generation, gas and oil refineries, and dam safety. Several charts depict a framework for managing risk. Key points include:
The expansion of utilities assets into the public domain—especially as it relates to the proliferation of IT assets in the smart grid and control systems—increases the potential for attacks.
A simple formula, risk = probability + consequences, can be used to measure risk for a utility.
If the risk assessment is inadequate, outdated, or unused, the utility could be held liable for damages if, for example, a patient became sick because the hospital did not have clean water.
Recorded Seminar Sessions
Securing the United States electric grid is a top priority for regulators and utilities. Current events have prompted security professionals to improve physical security measures at facilities. Four speakers review best practices for securing the electric infrastructure; discuss threats to transmission substations, generating plants, and electricity control centers; and consider the future of security regulation in the electricity sector.
In light of the 2016 Food Safety Modernization Act Final Rule, security professionals are tasked with reducing supply chain food adulteration vulnerabilities and developing a “Food Defense Plan.” The speaker examines resources available to the food defense practitioner to minimize risk exposure and meet outlined regulatory requirements.
Industrial control systems impact your everyday life (though most never give them a second thought), like the car you drive, the water you drink, the energy you consume and the devices that assure your medical health. This discussion measures industrial control systems cyber success, provides actionable industrial cyber safety, leverages virtual environments for real-time forensic value and monitoring, builds upon strong digital design principles, and shares perspectives on industrial control system compromise while discussing public game changing cyber threats.
The cyber frontier has joined land, sea, and air as a concern with unique challenges and hard-to-identify actors. The speaker discusses specific threats to U.S. critical infrastructure, including power grids, water supply, and nuclear plants. Methods of attack and 21st century hacking, data breaches, and informative warfare explored. Specific steps for risk and threat prevention and mitigation are also outlined.
The speakers review best practices for securing electric infrastructure and discuss the ongoing threat to transmission stations, generating plants, and electricity control centers. They discuss the newly implemented NERC CIP-014 Physical Security Standard and the future of security regulation in the electricity sector. They also explore how the standard has affected industry and overall system reliability.
Current and former representatives from the North American Electric Reliability Corporation (NERC) and the Electricity Security Information Sharing and Analysis Center (E-ISAC) discuss three topics: the CIP-014 physical security reliability standard; information sharing between utilities and government partners; and physical security assessment reviews and outreach visits. The status of the future Design Basis Threat initiative is also reviewed.
Security Management Articles
A majority of information security professionals
believe that U.S. critical infrastructure will be breached by a cyberattack in the next two years.
Standardization is often seen as a positive in modern society, but there are risks in creating a monoculture—a homogenous culture lacking diversity—especially in cyberspace.
report discusses eight challenges for the U.S. government to address to increase the electric grid’s cybersecurity, including ways to improve coordination across government agencies, review laws and regulations, and address system architecture.
The second of
this three-part executive order (EO) focuses on critical infrastructure cyber security. It calls for reports to identify ways that agencies can support the cybersecurity efforts of those critical infrastructure entities at the greatest risk of attack, resulting in catastrophic effects on public health or safety, economic security, or national security.
The air transit system has been considered a prime target since the beginning of the modern era of terrorism. From a terrorist’s perspective, hundreds of people trapped inside a pressurized metal tube at 30,000 feet are ideal targets not only because the victims are so vulnerable, but because of the heavy media coverage such attacks generate.
As a vital asset and symbol of democratic societies, water is a high-value target for terrorists. Also, the relative scarcity of water around the world can lead to global conflict. Author Yves Duguay encourages U.S. and Canadian security professionals to revisit the security risks associated with water and wastewater and assess the effectiveness of current layers of protection using an equation where risk is the product of likelihood, consequences, and vulnerabilities.
Some forward-thinking firms have adopted infrastructure resilience strategies that include contingency and emergency plans, which are practiced and reviewed with employees. In these plans, communication is critical and can lead to a clear competitive advantage. One negative trend is that infrastructure facilities are often guarded by officers with low pay and poor training. The security industry needs to rectify that vulnerability, say the speakers.
A 2015 power grid attack in Ukraine used malware to create a backdoor and plant a KillDisk component on targeted computers that made them unbootable and destroyed files. While the source of the attack is unclear, what made it possible is that many of Ukraine’s electric power facilities are connected to the Internet. Experts think that other critical infrastructure sectors in North America—such as water systems—may be vulnerable to similar attacks because they do not have the same standards as the energy sector. Companies need to assume that their systems will be breached and take steps to ensure that they can quickly detect, mitigate, and recover from an attack.
U.S. national intelligence leaders say they know what threats are going to test the nation and they are focusing their efforts on encouraging public and private organizations and employees to be the first line of defense.