November 2013 was Critical Infrastructure Security and Resilience Month … Were You Involved?

Did you know that, on October 31, 2013, President Obama proclaimed November 2013 to be “Critical Infrastructure Security and Resilience Month”? You can see the proclamation at Note that the final “e” in the URL is missing, as was a proper amount of publicity, training and events.

The proclamation called “upon the people of the United States to recognize the importance of protecting our Nation’s resources and to observe this month with appropriate events and training to enhance our national security and resilience.” Well, what did you do about it? Anything? Were you even aware of the proclamation? Many were not.

I must admit that I was not aware of the designation of the month myself until early December (after the assigned period!). There was so much going on around such technical disasters as, that one’s attention was easily diverted. However, retrospectively, I do believe that I did indeed do my part, IMHO, albeit not with the proclamation in mind.

On November 13, 2013, I presented a paper on “Using Transaction-Level Simulation to Prepare for and Recover from Supply-Chain Disasters” at the IEEE Homeland Security Technology Conference in Waltham, Massachusetts. I would say that my subject was certainly under the umbrella of critical infrastructure resilience, though that was only one of several topic areas. Companies and agencies within the critical infrastructure depend heavily on supply chains and can be severely affected in the event of a natural or man-made disaster. My assertion was that, in order to get a handle on supply-chain risks and the consequences of disasters and catastrophic events, one has to build computer simulation models that depict the complex interactions and interdependencies among and between entities making up supply chains. The paper should be available shortly on the IEEE Xplore website.

The following Wednesday, November 20, I presented at the OWASP AppSec USA Conference in New York City on “Securing Cyber-Physical Application Software.” Critical infrastructure sectors, such as energy, telecommunications, and transportation, are replete with cyber-physical systems. These industrial control systems, which are increasingly being connected to information systems, manage our electricity grids, gas pipelines, oil refineries, power plants, air, sea and land travel, communications networks, and so on. Their security is paramount for maintaining safe and resilient infrastructures. My presentation was based on my book “Engineering Safe and Secure Software Systems,” which is among very few publications that actually try to address issue relating to securing cyber-physical software systems supporting critical sectors. The slide presentation is available at (you have to scroll down to my presentation at 11 AM on Wednesday).

I have to say that, when I searched on the proclamation, there were relatively few rather lackluster references to it. The usual sources—DHS, Energy, FEMA—did mention it, as well as other interested parties, but most of the mentions were during November, not in advance. Also, there didn’t appear to be much enthusiasm shown by those who did report it. It might have been because the proclamation itself was issued on October 31 and the month covered by the proclamation began the following day.

In any event, I think that this was mostly a lost opportunity. The language of the proclamation was careful, considered and low key. What is needed is for the Administration, Congress, government agencies, companies, and the press … that is, everyone with a voice, to be YELLING about the risks that threaten the Nation’s critical infrastructure and bring some strength and commitment to dealing with the threats.

Post a Comment

Your email is never published nor shared. Required fields are marked *