ICSJWG: Putting Numbers Behind Risk

Friday, September 15, 2017 @ 12:09 PM gHale

By Gregory Hale
Manufacturers wrestle with if they should fund a cybersecurity solution all the time because they don’t really know the costs associated with an operational shutdown related to a cyber incident.

But that could soon end because there is one model out there that can help make those number real.

ICSJWG: Change in Security Approach Needed
Power Grid Compromise
Fighting FUD from DC
Black Hat: ICS Security Movement

“Business decision makers don’t care about security, they care about risk,” said Mike Radigan, senior advisor, cyber risk management at ABB during his Tuesday session entitled “Demystifying Cyber Risk: Enabling Effective Comparison to Operational Risk Issues” at the ICSJWG 2017 Fall Meeting. “There question is how much risk is there?”

“The fundamental value of cybersecurity in an operating environment is its effect on risk,” he said. “How much less risk will exist if the cybersecurity task is undertaken.”

Radigan defined risk equaling the probable frequency and probable magnitude of future loss.

He then gave quantifying risk questions to ask:
1. How much risk do you have?
2. Impact of security on risk?
3. Where do I get the best risk management bang for the buck?

Those questions are important because before anyone can get funding for a cyber project, he or she has to show proof it is worth the money – in other words a positive return on investment.

This means the user needs to demonstrate how cyber risk can end up quantified and normalized with other plant operational risk issues to enable well informed decisions.

Radigan used a power plant as a case in point. First, they have to validate the model for use in operational environment, then quantify select operational risk issues at the power plant, then quantify select cyber risk scenarios at the power plant and then show value: Decision support for KRI’s and mitigation options.

In the scenario, Radigan said the power plant’s furnace wall, the waterwall, leaks, there are issues with the first and second superheater, need to look at the feedwater pump and tend to a generator failure.

By talking to various stakeholders, they were able to create a chart based on the loss event frequency and the loss magnitude, they were able to define the minimum and maximum of failures per year and also the number for the most likely.

By plugging in the numbers for the top four issues at the power plant, they were able to come up with a high confidence level for what the numbers looked like.

They were then able to plug in days and costs associated with a failure and the numbers can be pretty staggering.

In a generator failure scenario, for a duration of 21 days, the labor costs could be up to $500,000, but in a 180-day failure, it could cost up to $3.2 million. In addition, in a waterwall leak, if it was at five days, the minimum labor cost could be $75,000 and if it went to nine days it could cost a maximum of $250,000.

If you add material costs, for a generator failure it could be as low as $200,000 and as high as $5 million. With a waterwall leak, material costs could have a low of $5,000 and a high of $25,000.

Add revenue loss costs on top of that and for a generator failure there is a minimum of $5.1 million loss, and a maximum of $7.3 million.

After determining those numbers for the operational risk, a user has to add in the cyber risk of an attack or incident.

To add in the cyber risk element, you also have to factor in:
• Cyber incident, loss of availability, resulting in a forced outage (criminal)
• External threat communities, multiple threat vectors:
Criminal Level 1: non-targeted (malware, ransomware)
Criminal Level 2: targeted attack (malware, ransomware)
• High Level Assessment: Assets are Control System/Functional systems

Again, by talking to stakeholders and understanding the history, they are able to add in cyber risk numbers into the overall equation and show a financial outcome for a cyber-related incident.

The long and short of it, Radigan said, is users can demystify cyber risk when quantifying and normalizing with other operational risk issues if they:
• Represent cyber risk in a common financial metric: Basis for comparison to operational risk and risk reduction benefit is foundation for business case
• Enable well-informed risk management decisions: Effective comparisons & prioritization
• Enhanced communication between OT & IT
• Enhanced credibility with plant/OT decision makers

Leave a Reply

You must be logged in to post a comment.