Tag Archives: critical infrastructure

Don’t forget the water


Grand Coulee Dam

Changes in water temperature and water availability will lead to more power disruptions in the next decades.

Ernie Hayden points out several often overlooked facts regarding electrical power generation in his Infrastructure Security blog.

Water is critical in electricity generation. Heat is generated by fueled power sources which spin the generators, whether combustion engines, coal-fired, nuclear, or other. That heat has to go somewhere. The primary coolant used in industrial power generation is water. Warmer water and diminished water flow reduce the ability to take that heat away which in turn reduces power generation.

Hayden points out a few examples of where warmer water or reduced water flow caused power degradation or complete shutdown:

* Millstone Nuclear Plant, Connecticut, 2012 — natural cooling water source (Long Island Sound) became too warm (almost 3 degree F ambient increase since plant’s inception in 1975). Plant shutdown for 12 days
* Browns Ferry Nuclear Plant, Alabama, 2011 — shutdown multiple times because water from Tennessee River was too warm
* Corette Power Plant, Montana, 2001 — plant shut down several times due to reduced water flow from Yellowstone River

Estimates of thermoelectric power generating capability are expected to drop by as much as 19% due to lack of cooling water.  Further, incidents of extreme drops in generation capability, ie complete disruption, is expected to almost triple.

Keep up your scan

An Information Risk Management 'scan' can be similar to a cockpit scan

An Information Risk Management ‘scan’ can be similar to a cockpit scan

Much like flying an aircraft, we have ‘keep up our scan‘ when analyzing these system risks. These are complex interconnecting systems. We are becoming increasingly concerned about cyberattacks on electrical and smart grid systems. That attention is good and overdue, but that is only part of the puzzle. We have to train ourselves to constantly scan the whole system — just because there’s a big fire in front of us, it doesn’t mean that there’s not another one burning somewhere else.

For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the message was lost.
For want of a message the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe nail.


[Image 1: Wikimedia Commons: Farwestern / Gregg M. Erickson. Image 2: author’s]

Motivating adoption of cybersecurity frameworks

US-WhiteHouse-LogoThe Federal government is seeking to motivate businesses that operate our nation’s critical infrastructure systems to voluntarily adopt a Cybersecurity Framework currently under development by NIST (National Institute of Standards and Technology).  These systems include the electricity generation and distribution grid, transportation systems, and drinking water storage and distribution systems.  A preliminary draft is available now here and it will also be presented in two weeks at the University of Texas.

Roughly simultaneously, the Departments of Homeland Security, Treasury, and Commerce have been developing various options to try to provide incentives for companies to voluntarily adopt the Framework.  Per the White House Blog, there are eight core areas or approaches to incentives under consideration.

  1. Engage the insurance industry to develop a robust cybersecurity insurance market.  As discussed in an earlier post, this is not without it’s challenges.
  2. Require adoption of the Framework for consideration of Federal grants related to critical infrastructure or include as a weighted criteria as a part of the grant evaluation process.  This seems reasonable to me, though it only incentivizes those companies applying for Federal grants (but maybe that’s most companies?)
  3. Expedite government service provision for various programs based upon adoption of the voluntary Framework adoption.  Again, seems logical, though this one seems a short step away from changing the ‘voluntary’ part of the Framework adoption.
  4. Somehow reduce liability exposure of companies that adopt the Framework.  Per the White House Blog, this could include reduced tort liability, limited indemnity, higher burdens of proof, and/or the creation of Federal legal privilege that preempts State disclosure requirements. If one were a cynic, that last one could sound like buying a loop hole.  This whole core area of modifying liability seems to be to be pretty tough to manage, particularly to manage transparently and equitably.
  5. The White House Blog says that “Streamlining Regulations” would be another motivator for participating companies.  I don’t get this one.  I don’t understand how the government could “streamline regulations” for one company but not for another.  Sounds to me like interpret the law one way for one company and another way for another company.
  6. Provide optional public recognition for participating companies.  This one seems like a good idea.  Sort of a Good Housekeeping Seal of Approval, Better Business Bureau endorsement, or similar to Joint Commission on Accreditation of Healthcare Organizations endorsement for hospitals.
  7. Companies in regulated industries such as utilities could be offered some sort of rate recovery contingent upon adoption.  This seems reasonable logically, but I would imagine a bear to implement and manage (which is kind of a theme for many of these).
  8. The White House Blog says that “cybersecurity research” is an incentive.  This one I don’t get either. How does identifying weak spots in the Framework and encouraging research in those weak areas motivate Framework adoption? I mean it’s a good thing to do, but how does that make any one particular company want to participate.

While these are proposals for incentives for critical infrastructure companies, I’m wondering if some of these can serve as a model for SMB’s for adoption of cybersecurity standards for SMBs. Adjusting cyber insurance premiums based on participation would seem to be an obvious approach. However, as has been discussed previously, a mature cyber insurance market does not yet exist and it’s not a slam dunk that one will evolve sufficiently fast to address this need.  For SMB’s seeking government grants, to include SBIR (Small Business Innovation Research) grants, compliance with an SMB cybersecurity framework would seem to be a no brainer. Also, optional public recognition for compliance with an SMB cybersecurity framework would seem to be a practical approach.

What would motivate you as an SMB to adopt an established Framework?