CybersecurityCapabilities-based – rather than actuarial -- risk analysis would make businesses safer

DHS and other government agencies are uring companies to adopt better cybersecurity protocols for their business and critical control systems. The American Petroleum Institute (API) was an early adopter of such initiatives when, in October 2004, it issued API 1164, a voluntary industry standard specific to supervisory control and data acquisition (SCADA) systems, designed to improve security within API member firms. As cybersecurity risks continue to evolve and the capabilities of hackers increase, companies mustadopt the most effective security measures against these wiley adversaries.

Insurance News Net reports that control system security teams in the oil and gas industry have been concerned with cyber-compromise of pipeline control systems, as they may shut down operations, impair certain mechanical parts which could lead to high replacement costs, and oil and gas leaks which may result in spills or shock waves, posing a risk to public safety. Oil and gas and other critical infrastructure operations are never fully protected and there is always room for improving security measures.

A cost-benefit analysis and a risk-management analysis, which management teams generally use to justify an investment intended to increase profits or reduce cost, may also be used for investments that address security and safety risks.

Risk managers can rely on the National Institute of Standards and Technology’s (NIST) methodology to evaluate security risk. The methodology defines risk in many ways, with the most direct being NIST 800-37’s definition: “risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.” Consider this definition the “actuarial model of risk,” similar to how insurance firms model risk asking “how likely is an earthquake or hurricane?” and “What is the average financial impact of such an occurrence?” Multiplying both variables will generate the expected business impact of a risk.

Insurance News Netnotes that when applying this definition of risk to measure cyber risk, the assumption is that the likelihood of a future attack depends heavily on how many attacks have occurred in the past. Since there has yet to be a full-scale attack on critical infrastructure in the United States, it is simple to conclude that the risk of a cyberattack on critical infrastructure is low, therefore justifying low investment in additional security initiatives. DHS and military assessors recommend that critical infrastructure firms measure risk by asking, “How capable are our enemies?” and “How capable are our defenses?” In addition, the question is “when - not if - an attack occurs, what is the most likely outcome?” An unacceptable outcome means that firms must improve their security capabilities. The challenge in persuading management to investment in additional risk security according to that definition of risk analysis, is that targeted attacks (often accomplished by importing malware or spyware in network systems through the use of bad email attachments) have rarely been used to attack pipeline or critical infrastructure operations. An actuarial risk analysis assumes little likelihood of such as attack occurring, but a capabilities-based risk analysis recognizes that since adversaries are capable of such an attack, it is in management’s best interest to secure against it.

Andrew Ginter, vice president of Industrial Security at Waterfall Security Solutions, asks, “is senior management willing to represent the first pipeline to be taken down by a targeted attack? When the first such attack causes serious consequences, there will be questions by the media, and possibly by congressional committees, such as: What did you know? When did you know it? What did you do about it?” If management wants to avoid such questions, “the time to act is now.”