Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Philippe Cotelle’s presentation on SPICE at AIRBUS, FERMA Forum 2015

3,558 views

Published on

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space and member of the AMRAE, describes the development of a response methodology to create resilience against cyber risks.
SPICE stands for Scenario Planning to Identify Cyber Exposure, and it is an initiative sponsored by the CFO of Airbus Defense and Space. It is a pilot programme for a business impact analysis to identify cyber-related disaster scenarios that could affect our operational capability and it is truly innovative.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Philippe Cotelle’s presentation on SPICE at AIRBUS, FERMA Forum 2015

  1. 1. Cyber risks, a view from the industry Philippe COTELLE Head of Insurance Risk Management
  2. 2. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October A new industrial revolution 2 Where the aeronautic industry had been so a century ago… … this is how we see this in the coming decade :
  3. 3. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Cyber risks exposure Internet : a tool allowing the sharing of information between people in order to create an open world Difficulties to protect companies and their datas from the outside. 4
  4. 4. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Reputation What are the obstacles to a good assessment of our cyber risks ? 5 Wrong perception Confidentiality
  5. 5. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October SPICE initiative (Scenario Planning to Identify Cyber Exposure) 6 A pilot program for Business impact analysis on disaster scenarios affecting our operational capabilities related to a cyber-event Gathering representatives of all the functions as well as IT and IM Security to overcome 3 hurdles : • Explain to the operational people that we need them • Address the security issue with extreme care, • Be prepared to openly discuss some potential scenarios of exposure and do not assume that it is impossible to hack a company like us
  6. 6. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Scenarios identification 7 Scenario identification • Focus on disaster scenarios • clear hypothesis
  7. 7. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Assessing financial costs 8 Assessing financial cost of each scenario • Split scenarios in 4 different phases • Simplify the list of impacted functions • Compute over/under charge per scenario, per phase 10 46 88 22 Phase A Phase B Phase C Phase D 10 46 88 22 … Financial costs Scenario x Security Breach Crisis Remediation Investments Vigilance Security Breach Detection
  8. 8. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Assessing financial costs Lessons learned 9  NUMBERS are related to our financial exposure  There is no final number  The objective is to reach a consensus:  acceptable by everyone  valid for our analysis
  9. 9. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Evaluate probability of occurence 10 Quantify the technical probability of success of a scenario to occur • For each step of a given scenario, identify technical ways to proceed • Rate each step with a probability of occurrence (using internal probability scale) Assessment performed by the local Information Management Security APT Kill Chain description used in the technical threat scenario
  10. 10. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Evaluate probability of occurrence Lessons learned 11 Same method but different numbers !? 2 different approaches: • Need an homogeneous approach • Associate to each scenario the type of hacker and their motives If an attacker was effectively considering seriously to hack Airbus, then this must be a very strong organisation which in itself should have gathered all those unique skills and resources. Therefore their probabilities were more important. Given the defence systems in place, in order to be successful the attacker should gather so many different skills and resources that this was very unlikely to be plausible. As such the probabilities were therefore very low.
  11. 11. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Next Steps Provide a rationale for mitigation strategy 12 Insurance Premium cost is efficient Cost of implementing IT security % of Mitigation IT Investment make sense to mitigate the exposure Justify the interest of the transfer to insurance both for coverage and premium budget • IT investment to reduce the probability of occurrence, until the point of time when costs are too high. • At that point of time insurance becomes complementary (and not competitive) to IT measures and is efficient from a cost point of view Risk identification Risk Assessment Risk Response
  12. 12. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Challenges 13 The process needs to be performed regularly and be as exhaustive as possible • a strategy allowing to manage the roll out of this process across the entire organisation, products and countries • an efficient process manageable with the operational teams
  13. 13. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Challenges 14 The insurance market needs as well to face several challenges : Conditions of dialog with the insurers Problem of reputation in case of a claim Claim settlement
  14. 14. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Conclusion 15 • Our mission to support technological development and to develop the conditions of securing and mitigating the unavoidable risks that such opportunities generate. • Support from top management required down to every level of the operations. • The methodology is key to obtain valuable results • Many challenges are still in front of us all, there is no One response  A key message from the Board towards external stakeholders.  The question on the standard for cyber risk assessment
  15. 15. BRUSSELS, 20-21 October www.ferma.eu FORUM 2015 Venice, Italy 4-7 October Thank you ! 16

×