THE METHOD
Most of the architectural and functional design for a given communications project has already been done for us through a myriad of applicable standards, (e.g. IETF, IEEE, ISA/IEC, CISA, NIST, INL CIE/CCE, HIPAA, PCI, CMMI/C, C2/M2, NERC, ISACA, ISC2, SANS, COBIT, ITIL, PMI PMBOK, and ISO).
With this over-abundance of guidance advising us, secure critical infrastructure data network design/build projects and their successful operation have the potential to self-define, if we let them. To elevate the prospect of creating a sustainable data communications system from a desired outcome to a certainty, remember…
'Follow the spec. so your data communications systems won't be a wreck.'
(…and be ever defending against the relentless onslaught of our seasoned adversary, Entropy.)
KNOWLEDGE SHARING and PROFESSIONAL CONTRIBUTIONS
Typical technology consultancies engage just long enough to solve an immediate issue or deliver a design…then collect the fee. At that point it's up to the owner/operator to keep things going.
For critical infrastructure this type of delivery is not an acceptable approach. Active knowledge-sharing of applied methods required for solutions sustainment is essential to ensure effective operations processes are in place AFTER the engagement is completed. Contributions in this section represent this philosophy.
Presenter, LinkedIn Live Event – Co-creator and presenter for live cybersecurity discussion, 'Cybersecurity Resilience: Strategies for Water and Grid Infrastructure'. Discussion focused on steps to establishing long-term cyber posture enhancement through established frameworks and latest thinking regarding the importance of People and Process - COMPLETED 4th Qtr 2023
Interview – Authority Magazine, Medium.com, 'Ransomware Attacks - 5 Things You Need To Do To Protect Yourself Or Your Business' - Published 1st Qtr 2022
Contributor Author – 'Digitization at the Heart of Cybersecurity, Asset Management'. Black & Veatch Insights Group Electric Report - Published 1st Qtr 2022
Author – IEEE Monthly Bulletin, 'Ransomware: A Change Would Do Us Good'. Short article promoting a change in approach to classic reliance on cybersecurity hygiene approaches to defense. The article suggests that network architecture, people and process aspects are equally important and should be emphasized in Cyber Attack For Ransom (CAFR) event response in utility OT environments - Published 4th Qtr 2022
Co-author and Presenter – Distributech International - 'Practical Protections to Combat Rising Ransomware'. A joint industry customer/consultant presentation showing how concepts such as the Idaho National Laboratories (INL) Consequence-Driven Cyber-Informed Engineering (CCE) framework, combined with proper packet network architecture help define a more robust response to Cyber Attack for Ransom (CAFR) events – COMPLETED 1st Qtr 2023
Author – 'How to Build Your Gameplay in the Fight Against Utility Ransomware' - short article reviewing core principles or 'pillars' for establishing an effective response plan to ransomware attacks. The intent is for utility operations leaders to focus efforts on essential categories of capabilities yielding the best chance of continued operation and service delivery within the context of a CAFR event - COMPLETED 2nd Qtr 2023
Certified Trainer Course, Idaho National Labs Consequence-Driven Cyber-Informed Engineering – Through in-person Accelerate Training, acquired knowledge to support investigating and assessing customer OT security postures utilizing newly released cybersecurity vulnerability assessment methodology for critical infrastructure. Evaluate possible efficacy, practicality of implementation of principles and any replication and/or enhancements of other established cyber assessment and protection approaches - September 2021
Contributing SME for Industry Standards Development – NERC CIP Critical Infrastructure Protection Committee (CIPC), participant for committee on Supply Chain Security. Formed to help North American Electric Reliability Corporation (NERC) advance the physical and cyber security of the critical electricity infrastructure of North America. The committee consists of both NERC-appointed regional representatives and technical subject matter experts - 2020/2021
Contributor/Co-presenter – Utilities Technology Conference Speaker (UTC), Ransomware Planning Presentation – Joint presentation with customer to demonstrate methods and requirements used for establishing planned technical responses to a CAFR (Cyber Attack For Ransom) event, without paying ransom, Portland, OR, August 2021
Contributing Author/Developer, Strategy Engine – Assist in creation of model for support of critical infrastructure Telecom Network Master Planning activities. Provides repeatable process for creation, tracking and evaluation of infrastructure and security project Key Performance Indicators (KPI's) and technical project Key Objectives (KO's). Co-developed with an electric utility customer and made compatible with existing best-practice network/security infrastructure assessment, and implementation execution processes, e.g., PAADIO - May, 2020
Co-Author and Co-Presenter – 'Low Impact Asset Assessment and Protections - Case Study', refined case-study examination of a successful NERC CIP Low Impact inventory and qualification-assessment involving 80 locations across a state, and thousands of devices. Work included implementation of over 40 industrial firewalls at select field locations, national North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Committee meeting, Minneapolis, MN - September 2018
Requested Reviewer – 'Energy Sector Asset Management for Electric Utilities, Oil and Gas Industry', National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) pre-publication release for public comment working draft - December 2017, Published 2018
Contributor Industry Standards – National Institute of Standards and Technology (NIST), National Cybersecurity Center of Excellence Partnership (NCEP), promoting mutual cooperation for collaboration to enhance trust in U.S. IT communications, data, and storage systems, lower risk for companies and individuals in the use of IT systems, and encourage development of innovative, job-creating cybersecurity products and services
Project Execution Process Co-developer and Custodian – I.T. and O.T. project planning, design and implementation process, 'PAADIO' Methodology builds upon ISO, PMI, Carnegie Mellon and other world-class contributors for promoting value-engineering project planning and execution, including CMMI principles and CAPEX / OPEX predictor inputs
Network Coursework Co-developer and Custodian – Customer-facing IP modernization education workshops, providing information and training on proven network and cybersecurity project and technology practices with practical fit, function and organizational impact perspectives. Assists business operations teams in developing their strategic telecommunications plans, execution and sustainment efforts
Invited Panelist – Utilities Technology Council National Meeting, Security Summit, 'Mission Critical Security - Getting it Secure, Keeping it Secure', Charlotte, North Carolina - May 2017
Invited Panelist – North American Electric Reliability Corporation ("NERC") GridSecCon, NIST National Cybersecurity Center of Excellence (NCCoE), Cybersecurity Portfolio and Framework panel member, w/Utilities Technologies Council, Quebec City, CAN - October 2016
Organizer/Moderator – Joint review and comment forum for Special Publication 1800-2 Identity Access Management for Electric Utilities: Utilities Technologies Council (UTC), Customer Representation, Black & Veatch with IEEE contributor, MITRE representing NIST National Cybersecurity Center of Excellence Overland Park, KS - March 2016
Invited Panelist – North American Reliability Corporation, Critical Infrastructure Protection, NERC CIP, 'Practical Implementations and Beyond', Utilities Telecom Council, US National Conference, Denver, Colorado - May 2016
Official Reviewer – National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) SP 1800-2 - Identity and Access Management Practice Guide for Electric Utilities, WERB Draft - February 2016
Contributor/Co-presenter – 'NERC Critical Infrastructure Protection (CIP) v5/6 Transitions', UTC Region 6 Meeting, Overland Park, KS - April 2016
Participant – NIST National Cyber Security Center of Excellence - Energy Provider Community, Situational Awareness Case Studies Review and Prioritization - 2015
Contributor/Co-presenter – ‘Building a Practical Cyber Security Practice', Utility Telecom Council, Region 6, Overland Park, KS - March 2015
Participant – NIST National Cyber Security Center of Excellence - Energy Provider Community, Identity Access Management Case Studies - 2015
Author and Presenter – ‘Practical IT/OT Convergence for Utility Networks’, UTC Canada National Conference, Calgary - September 2014
Invited Panelist/Presenter – ‘Smart Grid Convergence Using Multi-protocol Label Switching (MPLS)’, UTC National Conference, Orlando, Florida - May 2012
Author and Presenter – 'Foundations for MPLS VPN’s’, UTC Region 4, Indianapolis, IN - October 2012
Invited Panelist/Presenter – 'Network Infrastructure, Kansas Legislative Systems Strategic Plan (e-Democracy Strategies)', United States House of Representatives Executive Staff briefing, Topeka KS - December 2008