The document discusses how executives ask questions about security risks from a business perspective rather than solely as a technical issue. It focuses on assessing risk as a combination of consequence and likelihood of various incidents. The key message is that organizations should prioritize reducing the potential consequences of incidents, such as compromises of control systems, as this can be a more effective way to manage overall risk than focusing only on reducing likelihoods through technical security controls. Reducing consequences may involve design choices to prevent safety and operational impacts from cyber or other incidents.
4. Questions Executives Ask
• Are we going to get fined?
• Are we secure?
• Could this happen to us? (After the sizzle / FUD article of the day)
5. The infiltration of the Bowman Avenue dam represents a frightening
new frontier in cybercrime. These were no ordinary crimes, but
calculated attacks by groups with ties to Iran’s Islamic Revolutionary
Guard and designed specifically to harm America and its people.
US Department of Justice
6.
7. Questions Executives Ask
• Are we compliant with regulations?
• Are we secure?
• Could this happen to us? (After the sizzle / FUD article of the day)
• If I spend the money you are asking for, will this make us secure?
• What other options do I have?
• Are there any unacceptable risks or risks that require executive
acceptance in our risk management structure?
8. Very Unlikely Unlikely Possible Known to Occur
Common
Occurrence
Health & Safety Financial Loss Customer Impact Environmental Reputation
Occurs once every
10,000 years
Occurs once every
1000 years
Occurs once every
100 years
Occurs once every
20 years
Occurs once every
2 years
Catastrophic
One or more
fatalities;
irreversible health
problems for
employees or
community.
Loss exceeding
$400M.
Outage to 30%+ of
customers > 48
hours; Outage to
.5%+ of customers
> 30 days.
On or off site
environmental
damage that
makes site or water
supply unusable
for one month or
more. Sustained
and substantial
emissions
violations.
National severe
loss of reputation /
Major negative
story covered on
wide range of
national media.
5 10 15 20 25
Major
Severe injuries,
complex medical
treatment for
employees or
community.
Loss between
$40M - $400M.
Outage to 50%+ of
customers > 48
hours; Outage to
3%+ of customers
> 7 days.
On or off site
environmental
damage that
makes site or water
supply unusable
for one week or
more. Repeated
substantial
emissions
violations.
Regional severe
loss of reputation /
Major negative
story covered in
wide range of
media in OGE
power delivery
area.
4 8 12 16 20
Moderate
Hospitalization for
employees or
community.
Loss between $4M
- $40M.
Outage to 50%+ of
customers > 6
hours; Outage to
1%+ of customers
> 7 days.
On or off site
environmental
damage that
makes site or water
supply unusable
for one day or
more. Repeated
minor emissions
violations.
Regional loss of
reputation /
Negative story
covered by media
that covers the
power industry.
3 6 9 12 15
Minor
Medical treatment
required or lost
time exceeding
one day.
Loss between
$400K and $4M.
Outage to 50%+ of
customers > 2
hours; Outage to
1%+ of customers
> 1 day.
On or off site
environmental
damage that
makes site or water
supply unusable
for less than a day.
Occasional minor
emissions
violations.
Loss of reputation
among groups of
individuals noted
through similar
public feedback.
2 4 6 8 10
Negligible
First aid required /
no lost time.
Loss of $400K or
less.
Outage to 50%+ of
customers for 1
hour or less.
Potential
environmental
incidents that are
prevented and
don't require
internal or external
reporting.
Loss of reputation
among groups of
individuals noted
through similar
private feedback.
1 2 3 4 5
P
o
t
e
n
t
i
a
l
C
o
n
s
e
q
u
e
n
c
e
Likelihood
10. Big (Easy?)
Likelihood
Reduction
Effective Cybersecurity Perimeter
• Removable media (USB) and multiple
security zone laptops
Solving ‘Walk Around The
Perimeter”
• Stop mass market malware & then mature
to whitelisting
Endpoint Protection
• Attack surface accessible thru security
perimeter
‘Some’ Security Patching
11. Likelihood Reduction After Basics
• NOT more patching, individual accounts for Operators, frequent
password changes
Insecure By Design
Access = Compromise
12. Most Common Protection Failure
(for those who are trying)
Highly Privileged Remote Access
13. We Are Not In A
Competition To See
Who Can Implement
The Most Good
Practice Security
Controls
14. Risk = Consequence x Likelihood
Consequence Sets Maximum Risk
Likelihood is probability between 0 and 1
16. Simple Example:
Vibration Monitoring
• GE Bently Nevada / System 1
• Can the system trip the turbine?
• Can the trip point be changed
from a computer?
• Is that computer on the
ICS network? Enterprise?
• Key Consequence Principle:
Compromise of control system should not
affect safety or protection
• Safety interlocks are a huge issue!