2019 10-22 axio - taking control of cyber risk - grid-seccon

“Assessing Impacts”
Today’s Little Bobby:
1

Taking Control of
Cyber Risk
22 October 2019
Jason Christopher
CTO, Axio
2

Chief Technology Officer // ICS Security Lead
JASON CHRISTOPHER
▪ Leads critical infrastructure strategy at
Axio; actively involved in platform
development
▪ Certified SANS Instructor for ICS
▪ Frequent speaker at conference and client
events
▪ Federal energy lead for several industry
standards and guidelines, including NERC
CIPv5, NIST CSF, and the C2M2
▪ Incident response and risk
management lead for DOE
▪ Security metrics development across
EPRI and other research organizations
▪ Began career building control systems
at a utility
▪ MS, Electrical Engineering, Cornell
▪ Based in Atlanta, GA
4

BEFORE
we’ve talked about this
Smaller beard, but still dashing
▪ Measure in dollars, move away from colors
▪ Link to insurance policies, like property &
casualty, to link to the CFO
▪ Get invited to the board room and stay there!
Today we’ll use one key metric
Also wrote something for the SANS Reading Room
5

▪ Name
▪ Where you’re from
▪ Role(s)?
▪ Cyber risk experience?
▪ Expectations
introductions
6

AND CYBER RISK
a little about us
Cyber Risk Quantification
Prioritization
Cybersecurity Assessment
Insurance Stress Testing
What’s my exposure in financial terms?1.
How mature is my cyber program?2.
Do I have the financial ability to recover?3.
Where should I invest?4.
Axio’s unique methodology and software that helps
answer the four most critical questions for cyber risk:
7

BOARD ROOM
cyber risk in the
8

but why is measuring it
SO DIFFICULT?
10

GETTING DATA IS HARD 
myth #1
Then you’re doing this wrong
▪ What can you measure? Start somewhere
▪ Understand that metrics improve with time (only
barbarians measure in “stones” and “feet”)
▪ Resources may be constrained at first
▪ But if you don’t try, it won’t get better
You really mean “I need the right starting point”
Literally, just do something.
11

SECURITY IS AN ART
myth #2
Really bad argument here…
▪ Can you document something?
▪ Can you count something?
▪ Observe the trends where you can
There’s measurement in almost everything
Literally, just do anything.
12

THIS TAKES TOO MUCH TIME
myth #3
Engineering 101: “Optimize within your
constraints.”
▪ Team of 1? That still works (more on this later)
▪ Don’t boil the ocean and don’t build a team to
“admire the problem.”
▪ Anything worth doing takes time and effort!
Size your efforts to your team
“If you’re not keeping score, you’re
just practicing” – Vince Lombardi
13

▪ Leads to a sense of false equivalency– both in description of the risk and how the risk should be addressed.
A ROCKY ONE…
our story so far is…
We’re unlike other parts of the business, “security” has some
communication issues:
Defining “cyber risk” comparative to other risks across operations
▪ No clear consensus on the metrics
▪ Creating a metrics program may compete against actual protective controls
▪ Identifying the right audience for risk metrics is… exhausting.
Creating metrics to measure performance of both the security program and threats
The cyber risk profession needs to play “catch up” and fast.
14

THE RIGHT METRIC
fixing the issues starts with
“If you’re not keeping score,
you’re just practicing.”
– Vince Lombardi
16

how do you
MAXIMIZE
CAPABILITIES?
19

metrics and
OPERATIONS
safety and security
CULTURE
with leadership
APPLICABILITY
Understanding the terms of
art
Tools to translate between
silos
Key categories of cyber risk
Property damage
Environmental damage
Computer systems damage
Mechanics of risk
management
Risk transfer challenges and
optimization
Effective controls to minimize
the risk
20

START?
where do we
Use the tools you already have at
your disposal
▪ Already used to report on capabilities (if done right)
▪ With a few minor tweaks (and breaking a few silos),
every exercise can help quantify cyber risk.
Security teams: table top exercises!
21

it up and having some
MIXING
FUN
22

®
© 2019 Axio Global, Inc.
Real World Example
Cyber Events
What should go into a
table top scenario?
23

▪ Iran’s Natanz uranium enrichment facility
▪ Extensive physical damage:
1000 industrial centrifuges were
damaged or destroyed by overtaking the
industrial control system and changing
motor speeds while sending fake signals
to control room to indicate normal
conditions
▪ Control system was “air-gapped.”
Malware was hidden on USB drive
▪ Considered to be the first cyber attack
resulting in major physical damage
2009: Destructive attack of industrial control system
Stuxnet
The Telegraph, 30 Nov 2010
http://securityaffairs.co/wordpress/4544/hacking/stuxnet-duqu-update-on-cyber-weapons-usage.html
24

▪ Cyber attack on steel mill via spear phishing
• Disrupted industrial control system for blast
furnace
• Furnace could not be shut down
• Resulted in “massive” unspecified damage
▪ Revealed by German Federal Office for
Information Security (BSI) in December 2014.
Few details are known about the event;
Germans remain quiet.
▪ Motive is unclear
2014: Germany
Destructive Attack — Steel Mill
25

Highly coordinated efforts were
synchronized against three power
distribution utilities
1. SCADA hijack with malicious operation
to open breakers
2. Disconnected backup power & flooded
call centers to delay outage response
3. Corrupted firmware on communication
devices at substations and wiped
workstations & servers to amplify
attack
Results could be more impactful in US due
to our heavy reliance on automation and
relative inexperience with manual
operations.
Coordinated Attack — Ukrainian Power Outage, Dec 2015
225,000
customers
lost power
for < 6 hrs
135 MW
26

▪ 1.25-hour outage at one transmission
substation outside Kiev, Dec 2016
▪ 200 MW power loss = 1/5 of power
necessary for Kiev
▪ Investigation pending…
▪ Attacks at the transmission level have
more widespread impact
Transmission attack
Ukrainian Power Outage 2016
27

▪ Campaign targeting energy firms —
since 2011, dramatic uptick in 2017
▪ More than 20 companies’ networks were
penetrated; in a ‘handful’, the attackers
made obtained access to “control of the
interfaces power company engineers use
to send actual commands to equipment
like circuit breakers.”
▪ Such access would allow similar attacks
to Ukraine 2015.
Reported by Symantec — Sept. 2017
Dragonfly 2.0
[Greenberg 2017b]
28

U.S. Pipelines, April 2018
▪ Attackers targeted Latitude Technologies, a Texas-
based provider of electronic data interchange (EDI)
services
▪ Latitude provides EDI and other technology
services to more than 100 entities
▪ Gas service was not affected, though several
companies reported interruptions to their
communications including
• Oneok
• Energy Transfer Partners
• Boardwalk Pipeline Partners
• Eastern Shore Natural Gas
▪ Solid example of cyber affecting third-party
organizations
Attack on EDI vendor causes communications disruptions
29

▪ SIS are uniquely configured per facility and provide the last
line of defense to preserve safety in any off-normal event.
▪ Attacker achieved access to and control of both industrial
control system and SIS.
▪ While attacker had control of SIS, a bug in their code
caused the SIS to crash, shut down facility, and then the
discovery of the intrusion.
▪ Reverse engineering found the RAT (remote access Trojan)
but not the attack module(s).
▪ Attacker ‘owned’ the entire ICS network and could have
easily initiated shutdown or stolen process information.
▪ Attacker also went after SIS, clearly indicating that they
wanted to cause harm to people and damage to equipment.
2017 attack on critical infrastructure Safety Instrumented System (SIS)
TRITON/TRISIS ICS Attack
30

▪ 230 companies in more than 150 countries
▪ Leveraged ‘Eternal Blue’ — an exploit developed by NSA based on a flaw in
Microsoft Window’s Server Message Block (SMB) protocol
▪ Attack halted when cyber researcher discovered and activated kill switch
12 May 2017
Wannacry Ransomware Outbreak
Animated map from New York Times, accessed 2017-05-14
https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html 32

▪ Data wiper disguised as a ransom-worm
▪ Originated in Ukraine but spread globally
▪ Exploited the Eternal Blue vulnerability (NSA)
▪ 2M computers within 2 hours of release
▪ Many prominent firms were impacted. Cyence
estimates $850M in damages. Maersk reports
$200-300M in damages.
▪ Motive and origin are a mystery, but many believe
that it was targeted to damage Ukraine or serve as
a smokescreen
27 June 2017
Petya/Nyetya/Not Petya
33

Data Destruction — Shamoon timeline
2012 2013 2014 2015 2016 2017
Aug 2012
RasGas
Similar attack
Aug 2012
Saudi Aramco
35,000 computers wiped,
rendered inoperable
10-day recovery
Feb 2014
Las Vegas Sands
Data stolen; 1000’s of
computers wiped
CEO Adelson had
called for nuking Iran
Nov 2016
6 Saudi Agencies
Shamoon time-bombs
synchronized
Computer date change
preceded attack
Nov 2014
Sony Pictures
Data stolen & crippling
data destruction
The Interview
Jan 23, 2017, 9:02 am
≥ 7 Saudi Orgs
Hit at least 3 gov’t & 4
private orgs; several
petrochem
34

In addition to tangible destruction and data destruction, we should be aware of these
Other Common Cyber Risk Categories
Theft or Loss
of Data
Personal data, credit card data,
business data — any data with
black-market or competitive
value is at risk
Historically, the primary cyber
peril
Motive: financial or competitive
gain, extortion, intel gathering
Business Email
Compromise
Theft of funds through cyber
trickery
Up 1300% since early 2015; FBI
reports 22,143 victims and $3.1
billion stolen through mid 2016
Motive: financial
Communications
Disruption
Website or network disruption;
website defacement; social
media takeover
DDOS attacks have dramatically
increased in severity
Motive: financial, ideological,
extortion, terrorism, or war
35

Threat climate takeaways
▪ Increasing threat actor capabilities for industrial control
system attacks
• Safety system attacks are a new front, very concerning
• Automated attack frameworks represent considerable risk
• Increased signals that physical damage is being attempted
▪ Relative likelihood
• Motive is a big differentiator, but is not the sole factor
• NotPetya damaged many organizations opportunistically,
as worms typically will
• Cyber-physical attacks are less likely, but have the potential
for catastrophic impact
▪ Bottom line: we are all at increasing risk
Cyber-physical attacks
less likely, but large potential impact,
example: TRITON/TRISIS
Availability events
more likely, disruption-oriented
examples: ransomware, worms
36

This session will be a mock quantification workshop
Fictitious company profile
Workshop overview
Mini-process based on a pre-planned loss scenario
Wrap-up discussion
Overview
Quantifying Cyber Exposure Exercise
GOAL: Demonstrate cyber risk quantification methods
• Workshop typically requires ~1 day
• We will shortcut some workshop elements 3838

▪ Warner City-based, large-sized independently owned utility
• Transmission, Distribution, Telecommunications, Natural Gas
• 5,000,000 customers
• New AMI project being rolled out
▪ 2018 revenue: $20 billion
Company profile
Acme Utilities
Yes, this is made up.
No, you should not “fight the
scenario”
Utilities
39

# Name Role
1. Wile E. Coyote ACME Risk Manager; workshop co-host; responsible for ERM and risk transfer program
2. Ray Wilson ACME SVP for IT; workshop co-host; responsible for enterprise IT operations
3. Mike Shuster ACME CISO; responsible for enterprise security, physical and logical, IT and OT
4. Nader White ACME Senior Counsel, Chief Privacy Officer
5. David Young ACME Director of Distribution Operations
6. Lisa Curtis ACME Director of Water Operations
7. Scott Mehravari ACME Director of Finance & Supply Chain
8. Pamela Fry ACME Director of Metering
9. Jason Kannry ACME Director of Telecommunications Operations
10. Dan Brown ACME Insurance Program Lead
11. Kevin Gonzalez ACME Director of Engineering
12. Julia Moore Axio Co-Facilitator
13. Nikki Bogle Axio Co-Facilitator
Quantification Workshop Participants
40

Quantification Process Overview
Brainstorm
Scenarios
Select
Priority
Scenarios
Quantify
Impact
▪ Brainstorm cyber loss scenarios that would impact operations
▪ Use brainstorming framework to consider various scenario types
▪ Identify many scenarios with large potential impacts
▪ Select and rank a subset of the scenarios considered to pose the
largest operational and financial impact
▪ Objective is to identify 5-10 scenarios
▪ For each scenario, estimate impact using taxonomy worksheet
▪ Objective is to complete estimates for as many of the selected
scenarios as possible in the time available
41

▪ Elements:
• Scenario # (sequential)
• Who (the actor or an event)
• Their motive (if applicable)
• What they did or what happened (the action)
• The result on operations, data, systems, or other business elements
• Final outcome/damages of the action or event (data compromised, equipment or
facilities damaged, revenues lost, and so forth)
• Lines of business (or categories of operations) affected
▪ For example:
Scenario 12: A financially motivated cyber actor infects our finance and customer
management systems with ransomware, which renders them inoperable and causes
the loss of all billing, customer, and employee data. Multiple lines of business are
affected, including paychecks for employees. We are unable to complete any financial
transactions or manage customer accounts, resulting in revenue and customer service
delays. We ultimately pay the ransom, but the system was unavailable for 2 weeks.
Model Loss Scenario
Ask the question: What keeps you up at night? 43

Scenario Brainstorm FrameworkCyberEventVectors
Data theft; Cyber espionage; IP Theft
• Loss of IP
• Loss/disclosure of PII, PHI, PCI
Data destruction or alteration
Network interruption or outage
• DDOS (internal or external)
• Network infrastructure attacks
• Dependent parties (e.g. cloud)
Cyber theft of funds
Attacks on control systems
• Controls takeover
• Plant & machinery damage
• Production outage or issues
Cyber extortion
(likely combined with one of above)
Other
1
2
3
4
5
6
7
44

Scenario Brainstorm FrameworkCyberEventVectors
• Loss of IP
Cyber extortion
Other
1
2
3
4
5
6
7
Acme Utilities Operations
Telecomm Distribution Gas New
AMI
Business
Operations
Other
A B C D E F
45

Utilities
Summary results
Cyber Loss Scenario Brainstorming
▪ After the brainstorming framework was presented and discussed, a total of 42
scenarios were brainstormed by the participants, and were captured on flip charts
in the workshop room.
▪ Over lunch, each participant selected the scenarios they were most concerned
about from an impact perspective. Votes were tallied to develop a priority list of
top scenarios.
▪ The following page shows an example brainstorming framework and highlights
the 4 selected scenarios as a result of the prioritization process.
46

Acme Utilities Operations
Telecomm Power Gas New
AMI
Business
Operations
Other
A B C D E F
Top ScenariosCyberEventVectors
• Loss of IP
Cyber extortion
Other
1
2
3
4
5
6
7
1. PCI and
employee
data theft
4. Gas billing
ransomware
2. Shamoon-type wiper event across all business units
3. ICS malware
component
3. Operational Disruption with a communications network distractor
47

New AMI and Smart Grid Integration
A vision for ACME’s future!
• Received federal grant money for a new smart grid AMI installation and worked with
WECE on design and implementation.
• Uses state-of-the-art wireless technology to provide operational visibility and big data
analytics across not only the AMI capabilities, but ACME’s unique broadband utility
and water operations.
• Awarded “Most Beautiful Inverter Design” by IEEE Power Engineering Society
48

▪ Motivated political or environmental actor
▪ Combines two attack types – one targeting the wireless network to distract operators, the
other on ACME’s AMI
▪ The attackers exploit a misconfiguration in ACME’s wireless network, and execute an attack
that disrupts communication of metering data, creating confusion about the status of the
power operations.
▪ Attackers install ransomware on operator terminals and disable the telecommunications
across the shared broadband, water, and AMI networks
▪ The final stage of the attack executes a remote disconnect to a large number of meters and
“bricks” a smaller subset. Since communications are down, ACME needs to manually restore
or replace the meters.
Operational Disruption with a Communications Network Distractor
Scenario 3:
We’ll take a few minutes to read the scenario;
then we’ll begin quantifying the cyber risk! 49

Impact
First Party Impacts Third Party Impacts
FinancialImpactsTangibleImpacts
The Axio Quadrants
taxonomy for cyber events
Your income
and expenses
Others’ income
and expenses
Your people,
property, and
environment
Others’ people,
property, and
environment
51

Top Quadrants: Financial Impacts
Some of these impacts are data-breach centric; many could apply to any event.
Financial
Impacts
• Response costs: forensics, notifications,
credit monitoring
• Legal expenses: advice and regulatory filings
• Lost income from network or computer
outages, including cloud
• Theft of funds, monies, or securities
• Cost of restoring lost data
• Cyber extortion expenses
• Value of stolen intellectual property
• Other financial damages
• Consequential lost income
• Restoration expenses
• Legal defense
• Civil fines and penalties
• Shareholder losses
• Other financial damages
52

Bottom Quadrants: Tangible Impacts
These impacts are of increasing concern to all companies, especially critical infrastructure
Tangible
Impacts
• Mechanical breakdown
of your equipment
• Destruction or damage to
your facilities or other property
• Environmental cleanup of
your property
• Lost income from physical damage to your (or
dependent) equipment or facilities (business
interruption)
• Bodily injury to your employees
• Other tangible damages
• Mechanical breakdown
of others’ equipment
• Destruction or damage to others’ facilities or
other property
• Environmental cleanup
of others’ property
• Bodily injury to others
• Product liability
• Product recall expenses
• Other tangible damages
53

Impact Category Assumptions Estimate (ranges are ok)
Response costs:
forensics, notifications,
credit monitoring
Legal advice
Revenue losses from
network, cloud, or
computer outages
Cost of restoring lost
data
Cyber extortion
payments
Value of stolen
intellectual property
Reputational harm
TOTAL
First-Party Financial Impacts
54

Response costs:
forensics, notifications,
credit monitoring
Forensics Team Hourly Rate ($250) * Forensics Team Weeks (5) *
Forensics Team Size (4) * Forensics Team Hours per week (60)
$300,000
Legal advice
Revenue losses from
network, cloud, or
computer outages
[Annual Revenue (365m) / Days in Year (365)] *
Days of Lost Revenue (10)
$10,000,000
Cost of restoring lost
data
Cyber extortion
payments
Value of stolen
intellectual property
Reputational harm
TOTAL $10,300,000
First-Party Financial Impacts
55

Consequential
revenue losses
Restoration expenses
Legal defense
Shareholder losses
(including D&O suits)
Other financial
damages
TOTAL
Third-Party Financial Impacts
56

Consequential
revenue losses
Restoration expenses
Legal defense
Shareholder losses
(including D&O suits)
Other financial
damages
Civil fines and penalties from regulators $20,000,000 - $40,000,000
TOTAL $20,000,000 - $40,000,000
Third-Party Financial Impacts
57

Mechanical
breakdown
of your equipment
Destruction or damage
to your facilities or
other property
Environmental cleanup
of your property
Lost revenues from
physical damage to
your (or dependent)
equipment or facilities
(business interruption)
Bodily injury to your
employees
TOTAL
First-Party Tangible Impacts
58

Mechanical
breakdown
of your equipment
Firmware damage to computing equipment:
[Control System Server Count (100) * Server Cost ($10,000)] +
[Workstations (500) * Workstation Cost ($1,000)] +
[Switches (150) * Switch Cost ($2,000)]
$2,150,000
to your facilities or
other property
of your property
Lost revenues from
physical damage to
your (or dependent)
equipment or facilities
(business interruption)
Bodily injury to your
employees
TOTAL $2,150,000
First-Party Tangible Impacts
59

Mechanical
breakdown
to others’ facilities or
other property
Bodily injury to others
TOTAL
Third-Party Tangible Impacts
60

Mechanical
breakdown
to others’ facilities or
other property
[Compromised Partner Servers (20) * Partner Server Cost ($2000)] +
[Compromised Partner Workstations (50) * Partner workstation cost
($500)]
$65,000
Bodily injury to others
TOTAL $65,000
Third-Party Tangible Impacts
61

▪ Develop rough estimates of the potential impact from the selected scenarios by
loss category
• Use impact analysis worksheet
• Note: impact estimates are not necessary for all loss categories; rough estimates for
categories of highest impact will suffice.
• Feel free to use Google or “call a friend,” but make this quick!
• Each table should be prepared to talk about their assumptions and ranges.
Assignment time!
Estimate Potential Impact per Scenario
What decreases impact costs? (MAKE ASSUMPTIONS)
• Additional cybersecurity capabilities– what’s missing?
• Engineered resilience– could this be prevented?
• How to talk about cyber risk and dollars to executives? 62

Quantification Platform
Demo
63

metrics and
OPERATIONS
safety and security
CULTURE
with leadership
APPLICABILITY
Understanding the terms of
art
Tools to translate between
silos
Key categories of cyber risk
Property damage
Environmental damage
Computer systems damage
Mechanics of risk
management
Risk transfer challenges and
optimization
Effective controls to minimize
the risk
65

HEAT MAPS
ARE DEAD
long live heat maps
Impact
Catastrophic (5) 6 7 8 9 10
Significant (4) 5 6 7 8 9
Moderate (3) 4 5 6 7 8
Minor (2) 3 4 5 6 7
Insignificant (1) 2 3 4 5 6
Rare (1) Remote (2) Possible (3) Likely (4) Very Likely (5)
Probability
Accept
(Score = 2, 3)
Monitor
(Score = 4, 5)
Manage
(Score = 6)
Avoid/Resolve
(Score = 7)
Urgently
Avoid/Resolve
(Score = 8, 9, 10)
Response
Use the tools and language of your risk management peers –
change won’t happen overnight!
66

Use the tools and language of your risk management peers –
change won’t happen overnight!
Impact
Categories
Insignificant Minor Moderate Significant Catastrophi
c
Outage of
more than X
customers
10
customers
100
customers
500
customers
1,000
customers
5,000
customers
Financial
impact of more
than $Y
$1,000 $20,000 $80,000 $200,000 $500,000
Business ops
disruption of ≥
Z time
1 hour 4 hours 8 hours 2 days 5 days
Serious injury
to ≥ A people
0 people 0 people 1 person 10 people 50 people
Breach of data
for
≥ B customers
100
customers
1,000
customers
5,000
customers
10,000
customers
100,000
customers
...and so forth
HEAT MAPS
ARE DEAD
long live heat maps
67

COMMON LANGUAGE?
what if we don’t have
Even in the case where it’s not clear– don’t reinvent the wheel!
▪ …taxonomy of macro-catastrophe threats that have the potential to cause damage and
disruption to social and economic systems in the modern globalized world.
▪ Contains
• 5 Primary Classes
• 11 Families
• 55 (Genus) Types
▪ Very high level
Example: University of Cambridge’s
Taxonomy of Threats for Complex Risk Management
Research Programme of the
Cambridge Centre for Risk Studies
Cambridge Risk Framework
A TAXONOM Y OF
THREATSFOR
COM PLEX RISK
M ANAGEM ENT
68

USE WHAT
YOU NEED
not “all the things”
Asset%%
Bubble
Financial%%%
Irregularity
Bank%%
Run
Sovereign%%
Default
Market%%
Crash
Labour%%
Dispute
Trade%%
Sanctions
Tariff%%
War
NationalizationCartel%%
Pressure
Conventional%%
War
Asymmetric%%
War
Nuclear%%
War
Civil%%
War
External%%
Force
Terrorism
Separatism
Civil%%
Disorder
AssassinationOrganized%%
Crime
Earthquake
Windstorm
TsunamiFloodVolcanic%%
Eruption
Drought
Freeze
HeatwaveElectric%%
Storm
Tornado%&%%
Hail
Sea%Level%%
Rise
Ocean%System%%
Change
Atmospheric%System%%
Change
Pollution%%
Event
Wildfire
Nuclear%%
Meltdown
Industrial%%
Accident
Infrastructure%%
Failure
Technological%%
Accident
Cyber%%
Catastrophe
Human%Epidemic
Animal%%
Epidemic
Plant%%
Epidemic
ZoonosisWaterborne%%
Epidemic
Famine
Water%Supply%%
Failure
Refugee%%
Crisis
Welfare%System%%
Failure
Child%%
Poverty
Meteorite
Solar%%
Storm
Satellite%System%%
Failure
Ozone%Layer%%
Collapse
Space%%
Threat
Trade&Dispute&
Geopolitical&Conflict
Political&Violence&
Natural&Catastrophe
Climatic&Catastrophe
Environmental&Catastrophe
Technological&Catastrophe
Disease&Outbreak
Humanitarian&Crisis
Externality
Other
Financial&Shock
TradeCat&
WarCat
HateCat
NatCat
WeatherCat
EcoCat
TechCat
HealthCat
AidCat
SpaceCat
NextCat
FinCat
Cambridge Risk Framework
Asset%%
Bubble
Financial%%%
Irregularity
Bank%%
Run
Sovereign%%
Default
Market%%
Crash
Labour%%
Dispute
Trade%%
Sanctions
Tariff%%
War
Pressure
Conventional%%
War
Asymmetric%%
War
Nuclear%%
War
Civil%%
War
External%%
Force
Terrorism
Separatism
Civil%%
Disorder
Crime
Earthquake
Windstorm
Eruption
Drought
Freeze
HeatwaveElectric%%
Storm
Tornado%&%%
Hail
Sea%Level%%
Rise
Ocean%System%%
Change
Atmospheric%System%%
Change
Pollution%%
Event
Wildfire
Nuclear%%
Meltdown
Industrial%%
Accident
Infrastructure%%
Failure
Technological%%
Accident
Cyber%%
Catastrophe
Human%Epidemic
Animal%%
Epidemic
Plant%%
Epidemic
Epidemic
Famine
Water%Supply%%
Failure
Refugee%%
Crisis
Welfare%System%%
Failure
Child%%
Poverty
Meteorite
Solar%%
Storm
Satellite%System%%
Failure
Ozone%Layer%%
Collapse
Space%%
Threat
Trade&Dispute&
Political&Violence&
Natural&Catastrophe
Climatic&Catastrophe
Environmental&Catastrophe
Disease&Outbreak
Humanitarian&Crisis
Externality
Other
Financial&Shock
TradeCat&
WarCat
HateCat
NatCat
WeatherCat
EcoCat
TechCat
HealthCat
AidCat
SpaceCat
NextCat
FinCat
69

CYBER & PHYSICAL CLASSES
cambridge taxonomy
Works like this might help you identify top-level categories to use
Eruption
HeatwaveElectric%%
Storm
Tornado%&%%
Hail
em%%
Nuclear%%
Meltdown
Industrial%%
Accident
Infrastructure%%
Failure
Technological%%
Accident
Cyber%%
Catastrophe
Human%Epidemic
Animal%%
Epidemic
Plant%%
Epidemic
Epidemic
Meteorite
Solar%%
Disease&Outbreak
Externality
Other
TechCat
HealthCat
SpaceCat
NextCat
Labour%%
Dispute
Trade%%
Sanctions
Tariff%%
War
Pressure
Conventional%%
War
Asymmetric%%
War
Nuclear%%
War
Civil%%
War
External%%
Force
Earthquake
Windstorm
Drought
Freeze
Trade&Dispute&
atural&Catastrophe
limatic&Catastrophe
TradeCat&
WarCat
NatCat
WeatherCat
Bank%%
Run
Sovereign%%
Default
Market%%
Crash
Terrorism
Separatism
Civil%%
Disorder
Crime
Sea%Level%%
Rise
Ocean%System%%
Political&Violence&ental&Catastrophe
HateCatEcoCat
70

all together
BREAKDOWN
how to bring it
71

PROCESS/OUTPUTS
example table top & quantification
combining processes into one outcome
Threats &
Hazards
Evaluation
Areas to
Improve?
Exercise
Program
Priorities
Exercise
Objectives
Conduct
Exercise
Design and
Develop
Exercise
Evaluation
Define
Impact
Criteria
Quantify
Evaluate impacts
MANAGE CYBER
RISK IMPACTS
72

CIP & MEASUREMENT
where did we go wrong?
REALIZATION:
measures ≠ measures
74

C2M2 AND
MEASUREMENT
does subjectivity count?
Crawl-walk-run with reds-and-greens
75

C2M2 AND
MEASUREMENT
Level Approach Practices from Management Practices from
MIL0
MIL1 1a. There is an inventory of OT and IT assets that are
important to the delivery of the function; management
of the inventory may be ad hoc
1b. There is an inventory of information assets that are
important to the delivery of the function
;
management of the inventory may be ad hoc
Initial practices are performed, but may be ad hoc
MIL2 1c. Inventory attributes include information to support the
cybersecurity strategy
1d. Inventoried assets are prioritized based on their
importance to the delivery of the function
a. Documented practices are followed for ACM activities
b. Stakeholders for ACM activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to
support ACM activities
d. Standards and/or guidelines have been identified to inform ACM
activities
MIL3 1e. There is an inventory for all connected IT and OT assets
related to the delivery of the function
1f. The asset inventory is current (as defined by the
organization)
e. ACM activities are guided by policy (or other directives)
f. ACM policies include compliance requirements for specified standards
or guidelines
g. ACM activities are periodically reviewed for conformance to policy
h. Responsibility & authority for ACM activities are assigned to personnel
i. Personnel performing ACM activities have adequate skills & knowledge
ACM-1 ACM-4
76

C2M2 AND
MEASUREMENT
Level Approach Practices from Management Practices from
MIL0
MIL1 1a. There is an inventory of OT and IT assets that are
important to the delivery of the function; management
of the inventory may be ad hoc
1b. There is an inventory of information assets that are
important to the delivery of the function
;
management of the inventory may be ad hoc
Initial practices are performed, but may be ad hoc
MIL2 1c. Inventory attributes include information to support the
cybersecurity strategy
1d. Inventoried assets are prioritized based on their
importance to the delivery of the function
a. Documented practices are followed for ACM activities
b. Stakeholders for ACM activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to
support ACM activities
d. Standards and/or guidelines have been identified to inform ACM
activities
MIL3 1e. There is an inventory for all connected IT and OT assets
related to the delivery of the function
1f. The asset inventory is current (as defined by the
organization)
e. ACM activities are guided by policy (or other directives)
f. ACM policies include compliance requirements for specified standards
or guidelines
g. ACM activities are periodically reviewed for conformance to policy
h. Responsibility & authority for ACM activities are assigned to personnel
i. Personnel performing ACM activities have adequate skills & knowledge
ACM-1 ACM-4
CAN
YOU
RUN?
CAN YOU
KEEP
RUNNING?
Mature capability requires both:
77

Enterprise Mission and Insight Board C-Suite CRO CISO
Security & Risk Program C2M2
Loss
ScenarioLoss
ScenarioLoss
Scenario
………C2M2C2M2/ CSF
Technologies
Networks/
Assets
Information aggregation and interpretation challenge Governance challenge
Information aggregation and interpretation challenge Management challenge
Metrics
Metrics
Metrics
Apps/
Systems
…
Controls/
Security Tech
Measurements
ARCHITECTURE
OF TRUTH
when making sense doesn’t make
sense
78

BOARD TRUTH
MANAGEMENT TRUTH
GROUND TRUTH
ARCHITECTURE
OF TRUTH
when making sense doesn’t make
sense
79

SCORECARDS &
COLORS
again, it’s a start…
MANAGEMENT TRUTH
80

SCORECARDS &
COLORS
MANAGEMENT TRUTH
81

DOES TRUTH = TRUTH?
recall the levels of truth
BOARD TRUTH
MANAGEMENT TRUTH
GROUND TRUTH
82

1st Party Damages
(to your organization)
3rd Party Damages
(to others)
Financial
Damages
Tangible
(Physical)
Damages
RESPONSE COSTS
LEGAL EXPENSES
RESTORING LOST
DATA
REVENUE LOSS
RESTORATION
EXPENSE
LEGAL
EXPENSES
CREDIT
MONITORING
COSTS
REVENUE LOSS
MECHANICAL
BREAKDOWN
PROPERTY
DAMAGE
85

1st Party Damages
3rd Party Damages
(to others)
Financial
Damages
Tangible
(Physical)
Damages
$
$
$
86

BACK IN THE BOARD ROOM
meanwhile,
87

ACCEPT 1
TRANSFER
4
MITIGATE
3
TOLERATE
2
88

Emerging Issue in
Established
Market
Market in Flux –
Exclusions Being
Added to
Traditional
Covers
PROPERTY
POLICIES?
CASUALTY
POLICIES?
Tangible
(Physical)
Damages
CYBER INSURANCE
POLICIES
1st Party Damages 3rd Party Damages
Financial
Damages
90

BALANCE SHEET
re-evaluate your
91

1st Party Damages
3rd Party Damages
(to others)
Financial
Damages
Tangible
(Physical)
Damages $
$
$
92

NEW EQUATION, NEW CURVE
enterprise risk management’s
The existing “cyber risk equation” is not very hopeful:
▪ Where ,
Probability = function(threat, vulnerability)
▪ Are threats decreasing?
▪ Are vulnerabilities decreasing?
Risk
Time
Risk = Impact x Probability
93

NEW EQUATION, NEW CURVE
enterprise risk management’s
Revise the equation to take control of your cyber risk
Risk = Impact x Probability
Security Capability
▪ This equation gives us a
reduction in risk as our
capabilities increase
RISK
Sustain Capability
Invest in TransferInvest in Capability
CYBERSECURITY CAPABILITY
1. Early
capability
improvements
have high payoff
in risk reduction
2. Payoff flattens
as capability
increases
3. Insurance
transfers impact and
results in a quantum
risk reduction
4. Insurers want
insureds to be on
the flatter part of
the capability
curve
5. Invest accordingly
94

THANK YOUJason D. Christopher
Chief Technology Officer
jchristopher@axio.com
@jdchristopher
linkedin.com/in/jdchristopher
www.axio.com/presentations
96

2019 10-22 axio - taking control of cyber risk - grid-seccon

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2019 10-22 axio - taking control of cyber risk - grid-seccon

Similar to 2019 10-22 axio - taking control of cyber risk - grid-seccon (20)

Recently uploaded

Recently uploaded (20)

2019 10-22 axio - taking control of cyber risk - grid-seccon