Justifying Security Investment

Wednesday, March 7, 2012 @ 06:03 PM gHale

Editor’s Note: This is an excerpt from Frank Williams’ entry on the Practical SCADA Security blog at Tofino Security.

By Frank Williams
Finding the best way to justify the costs of implementing and maintaining a more secure process environment is new territory even for the most seasoned control system engineer. While it is easy to say we should just throw money at the issue and that would solve the problem, but that would be imprudent.

Instead, we all have to determine the right amount of investment in ICS and SCADA security measures.

RELATED STORIES
Defense in Depth: No Singular Approach
Time for a Revolution
Users Need to Push Security
Hacked Systems and Poor Passwords

Industrial control engineers are finding added complexity invading their world at an accelerated pace. Global competition continues to drive expectations of increased productivity. New technologies with shorter device life cycles demand compressed “pilot” project testing time. And the networking of everything forces tight integration between the enterprise network and the previously isolated, fit-for-purpose, process control network (PCN).

More and more, standardized technologies such as the Microsoft Windows operating system and Ethernet TCP/IP allow PCNs to migrate to open systems. Connecting control devices to such networks exposes their latent vulnerabilities to cyber attack. The result is increased production, safety and revenue risks to plant operations.

Reducing operational costs while reliably improving up-time (productivity) through effective use of new technology remains a daunting task for today’s control system engineer. Underpinning this challenge is tighter scrutiny from a more vigilant corporate financial officer (CFO) seeking stronger justification for the costs attached to the deployment of these same technologies.

In a post-Stuxnet world, it is clear automation devices present a target-rich environment for cyber attacks. Control devices are part of industrial networks typically connected directly to major infrastructures such as pipelines, electrical grids, and process equipment. The exposure these devices present to a cyber attack is huge.

Most informed people believe it’s not a matter of if, but when the attack will occur. And the outcome of an attack may result in the loss of proprietary or confidential information, damage to equipment, and, if severe enough, loss of public confidence in the company.

How much of a chance are you willing to take on your firm’s reputation? A reputation, perhaps built over years, can easily be laid to waste in one single “event”.

Let’s assume you realize you can’t ignore the risks of security incidents, but you don’t have an unlimited budget to apply to security measures.

Too much security would burden your organization unnecessarily, while not enough can significantly harm it. Striking the right balance is key.

How do you place value on the right amount of investment that fits your security requirements? You may want to start by figuring out how much is needed to mitigate the risks or to reduce the residual risk to an acceptable value for the business.

Step 1 of our white paper “The 7 Steps to ICS and SCADA Security” explains how to do a risk assessment and provides an example of a high-level ICS risk assessment. Each threat and its potential consequence are identified, and the severity, likelihood and risk of the consequence are rated using a high, medium or low scale. Doing a risk assessment gives you the information you need to prioritize your security efforts. Now, how do you decide how much to spend to prevent or mitigate threats?

ROI calculations don’t provide a true measure of the costs associated with security measures. In fact, there is no return in the traditional sense unless there is an event. And then the return is priceless.

So, how does an alert control engineer justify the costs to management? Many are using a comprehensive approach that includes the risk assessment component discussed above, along with a total cost of ownership (TCO) financial calculation.

In simple terms there are two types of costs: Direct costs and indirect costs. Direct costs are easy to define and consist of the actual purchase price of the security hardware, software and/or services. This may also include having a third-party with expertise in control system security do the Risk Assessment, particularly if it is a first time exercise for your organization.

Indirect costs are a bit trickier. Often times, these costs tend to dwarf the amounts related to direct costs and are more difficult to define, quantify and capture. Staff costs are usually the biggest component here, and they include costs related to training, installation, monitoring and upgrading security technologies.

In today’s security environment TCO also includes the potential lost value from not putting security measures in place. These “hidden” indirect costs include loss of operational productivity as well as the time lost by control engineering and IT staffers responding to malware.

Calculating the right amount of investment in cyber security measures is best summarized as follows:

1. Estimate the potential cost of individual security incidents with the help of the threats and ratings determined in the Risk Assessment.

2. Develop an annual model for security incidents and determine the total annual cost.

3. Optimize your spending on security by relating the annual security TCO to the annual cost of security incidents.

You do not need to become an expert on risk calculation or a financial genius to do this analysis. The important thing is your spending on SCADA security is the result of a quantifiable analysis and not merely a subjective figure.

According to a 2010 survey of over 1500 companies with mission critical applications conducted by Gartner Technology Research Group, the average manufacturing organization is spending about 5% of its manufacturing IT budget on security.

Companies should not necessarily worry if spending is higher or lower than the average, rather each firm must decide if their security spending is at the level that provides adequate mitigation and risk reduction to potential threats.

Frank Williams is senior product manager at Byres Security. Click here to read the full version of the Practical SCADA Security blog.