Critical Infrastructure Risk Assessment. Ernie Hayden, MIPM, CISSP, CEH, GICSP(Gold), PSP
in January 2005. Kirk has been a positive intellectual influence on me. He has offered me ideas and perspectives on risk and security that I would never have considered without his stories, philosophies, and viewpoints regarding the world around us. Kirk is a brilliant man and I include him in this dedication.
My final, most loving dedication is to my wife, Ginny, and our daughter, Karina. Without their love, patience, and support through many interesting “opportunities” in my life, I would not be where I am today. I love you both so dearly!
Acknowledgements
My work on this book has not been a solo journey. I would like to thank the following friends and colleagues for their support, counsel, and ideas: Gil Oakley, Jennifer Tavaglione, Jose Alvarado, Brenda Serna, Kip Boyle, and Peter Gregory. I also want to thank Phil Rothstein and Glyn Davies for their support, encouragement, and editorial improvements.
Finally, I want to thank God for his foundational support and protection.
Ernie Hayden
August 2020
Foreword
by Kirk Bailey
Ernie Hayden knows what he’s talking about. I’m not alone in this opinion. There is a long list of his colleagues and appreciative clients in both the public and private sectors who will also salute his expertise and wisdom. If you’re a professional facing the challenge of assessing operational and institutional risks for a client or employer, you should keep this book handy — it’s a heck of a reference and guide. You should use it and you can trust it.
Ernie and I started working closely together not long after the horrible events of 9/11. We had crossed paths professionally a few years earlier, but in 2002 we found ourselves in mutually challenging jobs. I had just been hired as the first ever chief information security officer (CISO) for the City of Seattle and Ernie was hired as the first ever CISO for the Port of Seattle. We both found ourselves immediately overwhelmed with significant risk management challenges exacerbated by limited budgets, lack of useful tools, growing regulation and compliance issues and the typical political realities found in local government operations. Seeking each other out for help was a necessity.
Seattle and the Port of Seattle own and operate significant essential services, facilities, and infrastructure critical to the Pacific Northwest region and the country in general. They represent the foundation of an economic engine for Washington State and the larger regional economy. The scope and size of the critical infrastructure integral to the City’s and Port’s operations is vast.
When I came on board as Seattle’s CISO, local governments across the country were in hyper-reaction mode. Everyone was concerned about what they needed to do to prevent, prepare, and respond to potential terrorist attacks. There was high anxiety about protecting human life, iconic sites, and critical infrastructure. The Federal government was in overdrive trying to build threat information sharing systems and risk mitigation programs. I was working frantically to assess the cybersecurity-related threats and associated risks — especially as it related to critical infrastructure, essential services, and first responder operations. At the Port of Seattle, Ernie was up to his neck with the same scramble.
During the next few years we dug in and learned plenty about how to best assess and manage potent and complex risks. Early on, we knew that simply following government-issued security and operational checklists was not the answer considering the budget and resource issues in play. We forged a new risk management approach that took into consideration some tough realities.
The good news is that we both achieved some successes. Recalling those days, it’s easy for me to say that a primary reason for those successes was Ernie’s passion and energy for his work. He used creative approaches to educate his employer about risk issues and kept the focus on the highest priorities as well as what was achievable. His disciplined approach to problem solving and pragmatic thinking, his constant thirst for learning everything on every related subject, his professional connections, his common sense and sense of humor were a huge lift for our professional workloads and worries.
In 2005, I became the University of Washington’s first ever CISO. I spent the last 15 years of my career working to build the University’s cybersecurity program in a challenging and complex environment. Throughout those years I continued to rely on Ernie’s experience and wisdom. Having Ernie as colleague has been like having a private professional consultant on staff all the time.
Now Ernie has written this book. That’s a very good thing for anyone who will be tasked to perform professional risk assessments. Identifying and understanding risks is not an easy exercise; it is more of a craft than a practice. It requires more common sense, clear thinking, and a touch of imagination to do well. Blindly following checklists in manuals or requirement documents won’t cut it. It requires a methodology and mindset that can bring clarity and wisdom into the final report. That’s what Ernie is sharing in the following pages.
Kirk Bailey
CISO (retired)
University of Washington
Seattle, Washington
Foreword
by Peter Gregory
I first met Ernie Hayden in 2003 just as I stepped off the stage at the SecureWorld Expo conference in Seattle. Ernie attended my talk and came up to me afterward. He held up a book in his hands and exclaimed, “I’ve read your book!” referring to the first edition of CISSP For Dummies. That meeting would prove to be the start of a going-on-eighteen-years friendship.
Ernie was one of the early instigators of The Agora, a quarterly conclave of information security professionals in the Pacific Northwest. I attended as often as I could, which was usually 2-3 times each year. Ernie was always there, and I always made it a point to speak with him. While we didn’t get into many “deep dive” conversations, I knew right away that he was well learned in information security. As the CISO for the Port of Seattle (which included the shipping port, the cruise ship port, and the airport), Ernie was in the crucible of risk management for multiple high-profile critical infrastructure facilities that were very “out there” and visible to all.
Ernie and I, along with Dave Cullinane and Michael Ray of Washington Mutual Bank (WAMU), Kirk Bailey of the City of Seattle, Barb Padagas of Starbucks, Bruce Lobree of Costco, Ravila White of drugstore.com, and a few others, were co-founders of the Pacific CISO Forum, a peer roundtable of information security leaders in Seattle and beyond. Ernie was as involved as anyone there, and sometimes hosted our quarterly meetings at one of the port facilities.
Ernie was also involved in regional critical infrastructure disaster and attack simulation events. This is all to say that Ernie is a doer, and his community involvement is but one aspect of his professional testimony as a man who cares about his community and the people who live in it.
From then until now, Ernie has held a variety of positions in critical infrastructure protection, and this has taken him around the world where his services were needed. He has become one of the world’s premier experts on the topic. For him to write this book is a gracious and generous gift to the profession as a whole. This book is a treasure for the profession and will serve to advance the state of the art of critical infrastructure protection and the professional growth of hundreds or even thousands of others in the profession.
This book is a well-organized, step-by-step, how-to treatise on risk assessment and risk management for critical infrastructure. This book is a high-quality, high-density, low-noise reference to help any professional excel at big-picture or detail-oriented risk management and risk assessment work. It explains the concepts of risk, risk