Оглавление
Ernie Hayden MIPM CISSP CEH GICSP(Gold) PSP. Critical Infrastructure Risk Assessment
Critical Infrastructure. Risk Assessment
COPYRIGHT ©2020, Ernie Hayden
WHAT YOUR COLLEAGUES ARE. SAYING ABOUT CRITICAL INFRASTRUCTURE RISK ASSESSMENT
DEDICATION AND. ACKNOWLEDGEMENTS. The Genesis
Dedications
Acknowledgements
Foreword. by Kirk Bailey
Foreword. by Peter Gregory
Introduction
“Oh, Crap!”
In this chapter you will discover:
Who Should Read This Book?
What Risk?
What is a Risk Assessment?
The Risk Assessment Flow Chart
Your Job
REFERENCES
PART I. FOUNDATIONS
Chapter 1. Just What is. Critical Infrastructure?
1.1 What is Critical Infrastructure?
1.2 Critical Infrastructure Conceptual Development — United States
1.2.1 Mid-1990’s — Executive Order 13010
1.2.2 1998 — Presidential Decision Directive (PDD) 63
1.2.3 2001 (Post 9/11) Executive Order 132 2823
1.2.4 2001 (Post 9/11) USA PATRIOT Act24
1.2.5 2002 National Strategy for Homeland Security26
1.2.6 2003 National Strategy for Physical Infrastructure Protection
1.2.7 2003 Homeland Security Presidential Directive (HSPD-7)
1.2.8 2013 Presidential Policy Directive 21 — Critical Infrastructure Security and Resilience (PPD-21)
1.3 International Perspectives on Critical Infrastructure
1.3.1 United Kingdom
1.3.2 Canada
1.3.3 Australia
1.3.4 New Zealand
1.3.5 European Union
1.3.6 Germany
1.3.7 Netherlands
1.3.8 Japan
1.4 Critical Infrastructure — A Missing Sector
1.5 Critical Infrastructure Interdependencies
1.5.1 Seattle Tacoma Airport Oil Pipeline Interdependencies
1.5.2 Critical Infrastructure Interdependencies with Orbiting Satellites
1.5.3 The Expansive Nature of Interdependencies and Critical Infrastructure
1.6 Conclusion
1.7 Questions for Further Thought and Discussion
REFERENCES
Chapter 2. Risk and Risk Management
2.1 What is Risk?
2.1.1 Threat
2.1.2 Vulnerability
2.1.3 Probability
2.1.4 Consequences or Impact
2.1.5 Nuances of Risk
2.1.6 Risk Appetite and Tolerance
2.1.7 Risk Velocity
2.2 Risk Management
2.2.1 Risk Management Principles
2.2.2 Addressing Risk
2.2.3 Risk Management Process
2.2.4 Risk Management Focus — Component or System
2.2.5 Risk Management Focus — Defensive and Offensive
2.2.6 Risk Management Focus — Checklist Approach
2.2.7 Risk Management — Convenience vs Liability or Risk
2.2.8 Risk Management — Summary Guidance
2.3 The Next Chapter — Risk Assessment
2.4 Questions for Further Thought and Discussion
REFERENCES
Chapter 3. Risk Assessment
In this chapter you will:
3.1 Definitions of Risk Assessment
3.2 Assessment Foundational Principles, Scope, and Applicability
3.3 Application of Risk Assessments
3.4 Risk Assessment Techniques
3.4.1 Ad-hoc Risk Assessment
3.4.2 Deductive Risk Assessment
3.4.3 Inductive Risk Assessment
3.4.4 Targeted Risk Assessment
3.5 Assessment Approaches — Qualitative vs Quantitative
3.6 Dynamic Risk Assessment
3.7 Difference Between Assessment and Audit57
3.8 Assessment Models
3.8.1 ISO 31000
3.8.2 NIST SP 800-30, R1 — Guide for Conducting Risk Assessments
3.8.3 NIST SP 800-30, R0 — Risk Management Guide for Information Technology Systems
3.8.4 Cyber Security Assessments of Industrial Control Systems — Good Practice Guide
3.8.5 Hybrid Risk Assessment Flow Chart
3.9 Assessment Process
3.9.1 Pre-assessment/Planning
3.9.2 Conducting the Assessment
3.9.3 Reporting
3.10 Questions for Further Thought and Discussion
REFERENCES
PART II. HANDBOOK
Chapter 4. Pre-Assessment
In this chapter you will discover:
4.1 Planning
4.2 Identify Team Members
4.3 Identify Assessment Goals
4.4 Collect Artifacts, Templates, Preliminary Documentation
4.5 Define the Assessment Plan
4.6 Hold the Initial Team Meeting
4.7 Client Kick Off Call
4.8 Data Requests to Client
4.9 Packing & Travel Planning
4.10 Devising the Work Plan
4.10.1 Example Site Risk Assessment Visit Plan
4.10.2 Preparing Your Steno Pad
4.10.3 Pre-Checking Control System Assets for Vulnerabilities
4.11 Excited to Start the Assessment
REFERENCES
Chapter 5. The Power of the Observation
In this chapter you will discover:
5.1 An Introduction to the History of Observations
5.2 Just What is an “Observation?”
5.3 Observation Format
5.4 Critical Thinking
5.4.1 Asking “Why?”
5.4.2 Communicating Your Observations
5.4.3 Raising Issues
5.5 Unintended Influence of the Observation on Performance of Work
5.6 Writing the Observation
5.7 The Power of the Observation
REFERENCES
Chapter 6. On Site
In this chapter you will discover:
6.1 On Site Arrival — Entrance Meeting
6.2 Example Site Schedule and Activities
6.3 Conducting Interviews
6.4 Photographs
6.5 Site Facility Inspections
6.5.1 Tools of the Inspection Trade
6.5.2 Inspection Data Collection
6.5.3 Tour Planning
6.5.4 “Working a Room”
6.6 Technical Reviews
6.7 Daily Team Meetings
6.8 Development of Strengths & Weaknesses
6.9 Site Exit Meeting
Questions to Consider
REFERENCES
Chapter 7. The Final Report
In this chapter you will discover:
7.1 Back in the Home Office — Compiling the Information
7.2 Important Terms of Art
7.2.1 Weakness
7.2.2 Strengths
7.2.3 Findings
7.2.4 Informational Observations
7.2.5 Good Practice
7.2.6 More About Findings
7.3 Identifying the Risk Level of Findings
7.3.1 Impact
7.3.2 Probability or Likelihood
7.3.3 Risk Assessment Matrix Development
7.4 Preparing the Draft Report
7.5 Report Review Process
7.6 The Future of the Report
REFERENCES
Chapter 8. Remediation
In this chapter you will discover:
8.1 Rule #1 — Don’t Shelve the Report and Findings!
8.2 Remember Your Objective
8.3 Assign a Professional Project Manager
8.4 Review the Entire Risk Assessment Report
8.4.1 Recognize the Strengths!
8.4.2 Assign Unique Numbers to Each Finding
8.5 Build the Remediation Team
8.6 Kick Off Meeting
8.7 Monthly Meetings (or More Frequent)
8.8 Addressing the Findings
8.9 Costs and Budgeting
8.10 Postmortem/After-Action Review
8.11 Questions for Consideration
REFERENCES
Chapter 9. Continuing the Journey
“Hey Boss, I know how to do a Risk Assessment!”
Your Job
Thank You!
APPENDIX A. EXAMPLE RISK ASSESSMENT REPORT
INDEX
ABOUT THE AUTHOR
