Critical Infrastructure
Risk Assessment
The Definitive Threat
Identification and Threat
Reduction Handbook
by Ernie Hayden
Print — ISBN: 978-1-944480-71-4
EPUB — 978-1-944480-72-1
WEB PDF — 978-1-944480-73-8
COPYRIGHT ©2020, Ernie Hayden
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without express, prior permission of the Publisher.
No responsibility is assumed by the Publisher or Authors for any injury and/or damage to persons or property as a matter of product liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Local laws, standards and regulations should always be consulted first before considering any advice offered in this book.
Print — ISBN: 978-1-944480-71-4
EPUB — 978-1-944480-72-1
WEB PDF — 978-1-944480-73-8
Library of Congress Control Number: 2020938671
4 Arapaho Road
Brookfield, Connecticut 06804 USA
“Critical Infrastructure Risk Assessment is an invaluable reference for assessors, business managers, operators, and planners. And given a rapidly evolving geopolitical situation with nations and other actors motivated to compete and fight across multiple domains, the book could not come at a better time.”
Chuck Benson
Director of IoT Risk Mitigation Strategy
University of Washington
“What I particularly like about this book is how self-contained it is in its knowledge of statutes, approaches, resources, and recommendations. You need not look elsewhere for guidance in conducting infrastructure risk assessments. This book is a practitioner’s guide that anyone involved in managing, securing, or operating critical infrastructure would find invaluable. The book’s subtitle, “Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook” is no boast as this book lives up to its title.”
Tari Schreider
Cybersecurity Program Strategist, Author & Instructor
“Ernie Hayden has been in the industry for many years and offers a lot of practical advice in this book. The book is laid out in an easy-to-consume manner; it starts with foundational information and proceeds to detail the assessment process from start to finish. This book is a great reference for the facility manager, plant manager or consultant.”
Matt B.
“Ernie Hayden has provided an extraordinary work that goes beyond its title, addressing Risk Assessment for Critical Infrastructure, with all its elements: threat identification, vulnerability identification, and impact. But more than an academic exercise, Mr. Hayden has taken years of experience as a risk assessor, and provides a handbook that will be invaluable to both the novice assessor, the executive who has been charged with an assignment to have a risk assessment completed, and the seasoned assessor.”
Matt Lampe
Partner, Fortium Partners
“This handbook was written for anyone involved in critical infrastructure risk assessment. Ernie Hayden guides you through the quagmire of complex terms and essential concepts to gain a clear understanding of critical infrastructure and risk assessment. The responsible executive or risk assessor will want to keep this reference by their side while planning, conducting, or using any risk assessment.”
Gil Oakley
Institute of Nuclear Power Operations
The Genesis
Within the last few years — especially as my 65th birthday crept up on me — I decided to write a book on how to conduct risk assessments. Yes, there are multiple books on the theory of risk assessments but you simply cannot find handbooks identifying the practices and techniques to use when performing a risk assessment of a large facility. Therefore, I began the process of working on a book without a publisher with plans to simply self-publish.
Then, in 2019, Phil Rothstein of Rothstein Publishing posted an invitation to submit book ideas. Since I already had an outline, a chapter or two written, and even a business plan, I submitted the concept material for this book. Phil invited me to write this book for publication as part of the Rothstein Publishing family of books.
I’ve spent many hours working on this “letter to the industry.” I’ve done this through two house moves and a knee replacement! But I’ve been persistent and excited to get this knowledge out to the industry and to new engineers who will be conducting risk assessments in the future.
I dedicate this book to four people who have had such as strong influence on my life and my pursuit of this idea. First, on the professional front, I dedicate this book to my friends, mentors, and colleagues — Messrs. Mike Assante and Kirk Bailey.
Mike Assante passed away in July 2019. I’ve known Mike since about 2007 when I first met him in Chicago at an Information Security Magazine awards event. Since then Mike and I had occasionally exchanged emails as he moved up in the industry to Chief Security Officer of the North American Electric Reliability Corporation (NERC) and then to lead the SANS industrial control security efforts. Our paths literally crossed in 2018-2019 when we were both being treated for cancer at the Seattle Cancer Care Alliance, mine for melanoma and him for his leukemia. At that time, we exchanged many an email, text message, and phone call. Finally, on July 2, 2019, Mike sent me his final text message...“Love you shipmate.” He died on July 5th. This book is dedicated to Mike’s memory.
Kirk Bailey has been my security mentor and best friend since 2001 after the horrible events of 9/11. We first met when he was the Chief Information Security Officer (CISO) of the City of Seattle then later, when he was CISO of the University of Washington. We were