7/30/2014 Wed_BKO_McDonnell_Chambliss_Welsh_H ancock_Cyber_Risk 1 AEGIS 2014 POLICYHOLDERS’ CONFERENCE BREAKOUT SESSION A Practical Guide to Getting Your Hands Around Cyber Risk AEGIS 2014 POLICYHOLDERS’ CONFERENCE CYBER SECURITY RISK ASSESSMENT Tom McDonnell Manager, Insurance & Operational Risk Management FirstEnergy Corp.
18
Embed
A Practical Guide to Getting Your Hands Around Cyber Risk · ancock_Cyber_Risk 1 AEGIS 2014 POLICYHOLDERS’ CONFERENCE BREAKOUT SESSION A Practical Guide to Getting Your Hands Around
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
A combination of the Department of Energy’s Cyber AssessmentProcess, Factor Analysis of Information Risk (FAIR), a Threat-Vulnerability-Consequence Matrix, and FirstEnergy’s risk assessment process
• Purpose
To identify FirstEnergy’s Cyber Security risks, threats, and vulnerabilities
To quantify the risk exposures in financial terms, document current mitigation strategies, determine reporting frequency, and decide on risk mitigation / transfer strategies
• Players
(1) Cyber Security / IT Compliance, (2) Corporate Risk, (3) Subject Matter Experts (“SMEs”) in various organizations [IT, Fossil, FENOC, Energy Delivery, Smart Meter]
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Structure
Environment Definition
1. InformationTechnology
Corporate network, email, SAP, Energy Management System / Generation Management System (EMS/GMS)
2. Fossil OperationsFossil plants and related equipment / cyber systems
3. Energy DeliverySubstations, transmission lines and related cyber systems
4. FENOCNuclear plants and related equipment / cyber systems
5. Smart MeterSmart Meters, wireless communications, other smart electricity distribution related cyber systems
The Cyber Security Risk Assessment is broken into the following environments
1. PeopleThe risk that people (employees, third party personnel, the public) could have an adverse impact to our cyber systems
2. ProcessesThe risk that processes and procedures (missing, deficient or poorly implemented procedures) could have an adverse impact to our cyber systems
3. TechnologyThe risk that IT systems (component failure through design, implementation, and / or maintenance) could have on our cyber security systems
4. External FactorsThe risks that outside factors (natural disasters, nation state attack, etc.) could have an adverse impact on our cyber systems
Risk categories within each environment
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Quantification Methodology
• Conducted meetings with SMEs to identify and quantify Cyber Security Risks in each category:
Identified (1) threats, (2) vulnerabilities, (3) affected assets, (4) range of consequences, and (5) current mitigation strategies
Quantified the minimum / most likely / maximum impacts based on:
• Primary costs (i.e. production costs, response cost, replacement cost)
Threats – Vulnerability – Consequence MatrixScenario: Nation State attacks FE with determination, resources, and expertise with the goal of causing a significant BES outage
Nation StatePerforming a complex and
multifaceted attack
Employees with privileged access to network,
systems, etc.
Virus / malware infection
Zero-day software vulnerability
User clicking on phishing or spear phishing link or
Threats – Vulnerability – Consequence MatrixScenario: Cyber criminal and current disgruntled employee attack FE cyber infrastructure to gain customer information such as SSNs, bank account information, with a goal of profiting from identity theft
Data breach:all or most FE customer records compromised
(more than 100,000 records)
Weak/inadequate encryption of stored information (data at rest)
Employees with general access to network, systems, etc.
Misconfiguration of cyber assets to allow easier compromise
Insecure encryption key management system and/or
network protocols used
USB jump drive accessibility and use
Current / former disgruntled employees:
intentional compromise of cyber assets
Cyber criminals:skilled Cyber criminals targeting
FE for monetary gain
Vulnerabilities Consequences
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Results – Top Maximum Foreseeable Losses
• The 99% Confidence Level (CL) represents a worst case scenario with a very low likelihood of occurrence
• Although not represented here, Smart Meter is considered an emerging risk due to uncertainty and newness of the technology
CODE Threat Vulnerability ConsequencePotential
Frequency *99% CL
Impact ($M)
IT02 Cyber CriminalsInadequate procedures /
compromised cyber systemsNetwork Data Breach 0.49 $144.8
Gail L. ChamblissDirector, Financial Risk Management
PNM Resources, Inc.
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Why should we care?
“After years of warning the U.S. electric grid & critical infrastructureare dangerously vulnerable, experts fear it may take a major destructive attack to jolt CEOs out of complacency…”
Reuters, May 16, 2014
“Eastern European attackers, Energetic Bear, gain accessto energy providers by tampering with industrial control systems software updates…”
• Cyber security is a problem for Energy in a way that information security wasn’t
• Energy companies are a clearly a target for advanced attacks moving beyond those from criminals
• Targeting Operational Technology (OT) with real-world impacts
AEGIS 2014POLICYHOLDERS’ CONFERENCE
The Operational Technology Problem
Increasing ExposureThe need to maintain operational availability makes updating and patching OT a significant challenge, with technology becoming increasingly more exposed.
IT / OT ConvergenceThe lines between corporate IT and operational environments are becoming increasingly blurred as organisations seek to realise efficiencies.
Improving Adversaries
Attackers are increasingly focusing on OT, we’ve seen an increasein capability emanating from foreign countries, including less well-known nations. Capability resides mostly in nation states. Expertise less widespread than IT.
Safety Critical RisksSafety critical systems are a particular risk – the impacts on safety cases are not fully explored. Safety impacts on security are also not well understood in the security community.
• Our cyber solution extends much further than just traditional risk transfer
• Our goal is to support the membership and policyholders in long-term cyber risk management
AEGIS Cyber
Coverage
Threat Intelligence
Risk Assessments
Security Benchmarks
Incident Response
Bodily Injury
Property Damage
Data Loss
BusinessInterruption
DataRecovery
CyberExtortion
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Key Supporting Services
We believe that both effective risk management and cyber security controls, when properly implemented, are crucial to managing cyber risk alongside our coverage.
Appropriate and proportionate risk management requires robust risk assessment. Our business risk focused assessment helps identify how cyber threats may lead to high-priority business risks.
Security Assessments
AEGIS Provides Policyholder Benefits
Cybersecurity Risk Assessments
Strategic direction and risk advice
Independent validation of current risks
Early sight of emerging risks
Bridge the gap between cyber threats and business impacts
Improved coverage and pricing
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Key Service Concepts
Supports the evaluation, prioritization and improvement of security capabilities against current risks and the wider sector.
Security Assessments
AEGIS Provides Policyholder Benefits
Cybersecurity Maturity Assessments
Strategic direction and risk advice
Independent validation of current risk management and security
Detailed and contextualized threat intelligence directs risk and security capability against the most critical risks and immediate threats.
Security Assessments
AEGIS Provides Policyholder Benefits
Periodic Threat Briefings
Accurate intelligence to support risk assessment and management
Reduced exposure to critical security incidents
Indicators of Compromise Early sight of emerging risks
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Key Service Concepts
Cyber incidents require time-critical specialist support to investigate and remediate. We ensure that policyholders are prepared to respond and are supported in doing so.
Incident Response
AEGIS Provides Policyholder Benefits
Incident Response AdvisoryIncreased resilience and
efficient remediation
Incident Management Reduction in incident duration
Incident Response / ForensicsCompliance with regulatory
Supporting the membership and policyholders is key to reducing losses and providing the required coverage. Through our ongoing engagement and experience in cyber security we will provide ad-hoc advice to members with cyber concerns or questions.
Advisory Services
AEGIS Provides Policyholder Benefits
Ad-hoc advisory Increased security awareness
Good practice guidance Accurate risk mitigation
Access to forums / working groups Reduced consultancy costs
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Cyber Insurance Lifecycle
Our policy process ensures accuracy of cover, access to services and tailored, timely incident management.