The document summarizes key points from a presentation on assessing and quantifying cyber risk for industrial control systems. It discusses challenges in measuring cyber risk, provides examples of past destructive cyber attacks on industrial facilities, and outlines common categories of cyber risk beyond tangible destruction, including theft of data, business email compromise, and communications disruption. Examples of real-world incidents demonstrate how attacks can damage infrastructure and cause power outages, with the intention being to illustrate what types of scenarios could be included in tabletop exercises to help organizations assess their cyber risk exposure.
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatResilient Systems
As attacks on Sony and Target show, the impact of a breach can stretch for months. Knowing how to communicate to the various internal and external audiences is crucial to mitigating the trail of damage.
The webinar features Melanie Dougherty Thomas, a crisis expert with more than 20 years of experience in marketing and communications. Melanie is Managing Director of Inform – a top communications firm that serves Fortune 500s.
Melanie will outline strategies for:
·Incident investigation and assessment
·Public acknowledgement and media management
·Customer and social media responses
·Legal notifications and obligations
Our featured speakers for this webinar will be:
·Melanie Dougherty Thomas, Managing Director, Inform
·Ted Julian, CMO, Co3 Systems
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
Industrial Control Cyber Security conference Sacramento California October 6th and 7th, Key Note speakers include DOE, NERC, NIST, SMUD, PG&E, SCE, NCi Security, Codenomicon (Heartbleed presentation).
Pre Conference workshop October 5th
“Effective methodology to protecting the oil and gas critical infrastructures from the emerging cyber threats”
Workshop Leader: Ayman AL-Issa, Digital Oil Fields Cyber Security Advisor
Top 12 Cybersecurity Predictions for 2017IBM Security
No industry is immune from a cyberattack. In fact, cyber experts are predicting that we may see a rise in attacks and a spread as industries previously on the fringe now face direct hits. The question is, “What’s in store for us in 2017?”
System and data hacking has become a multi-billion dollar organized business across the globe. In this session recent high-profile attacks will be discussed and Senior Product Specialist, Jason Dettbarn will also project the direction of security vulnerabilities. Kaseya best-practices will be highlighted allowing you to guard against these attacks.
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatResilient Systems
As attacks on Sony and Target show, the impact of a breach can stretch for months. Knowing how to communicate to the various internal and external audiences is crucial to mitigating the trail of damage.
The webinar features Melanie Dougherty Thomas, a crisis expert with more than 20 years of experience in marketing and communications. Melanie is Managing Director of Inform – a top communications firm that serves Fortune 500s.
Melanie will outline strategies for:
·Incident investigation and assessment
·Public acknowledgement and media management
·Customer and social media responses
·Legal notifications and obligations
Our featured speakers for this webinar will be:
·Melanie Dougherty Thomas, Managing Director, Inform
·Ted Julian, CMO, Co3 Systems
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
Industrial Control Cyber Security conference Sacramento California October 6th and 7th, Key Note speakers include DOE, NERC, NIST, SMUD, PG&E, SCE, NCi Security, Codenomicon (Heartbleed presentation).
Pre Conference workshop October 5th
“Effective methodology to protecting the oil and gas critical infrastructures from the emerging cyber threats”
Workshop Leader: Ayman AL-Issa, Digital Oil Fields Cyber Security Advisor
Top 12 Cybersecurity Predictions for 2017IBM Security
No industry is immune from a cyberattack. In fact, cyber experts are predicting that we may see a rise in attacks and a spread as industries previously on the fringe now face direct hits. The question is, “What’s in store for us in 2017?”
System and data hacking has become a multi-billion dollar organized business across the globe. In this session recent high-profile attacks will be discussed and Senior Product Specialist, Jason Dettbarn will also project the direction of security vulnerabilities. Kaseya best-practices will be highlighted allowing you to guard against these attacks.
We are witnessing an onslaught of attacks coming in from highly organized cybercriminals. It is so bad, in fact, that the situation was recently described by U.S. Secretary of State, John Kerry as, “…pretty much the wild west…”.
By United Security Providers
"Evolving cybersecurity strategies" - Seizing the OpportunityDean Iacovelli
Why does security feel like the most frustrating challenge in government IT ? In part because security in a cloud-first, mobile-first world calls for new approaches. Data is accessed, used, and shared on-prem and in the cloud – erasing traditional security boundaries. We’ll examine current trends in cyber security and some resulting strategy shifts that have the potential to greatly enhance public sector organizations’ ability to balance risk and access, better detect and respond to attacks and just make faster and more coordinated cybersecurity decisions overall. Follow-on sessions in the series will delve more deeply into specific facets of an overall cybersecurity strategy.
The Security Director's Practical Guide to Cyber SecurityKevin Duffey
Presented at the annual UK Security Expo in London, to help traditional Security Directors understand and feel confident about the practical ways in which their role should extend to cyber security issues. This presentation was followed by a simple cyber attack simulation (not shown here).
Presented by Barrie Millett and Kevin Duffey of Cyber Rescue.
M-Trends® 2013: Attack the Security GapFireEye, Inc.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
Top Application Security Trends of 2012DaveEdwards12
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
Cyber-risk Oversight Handbook for Corporate BoardsCheffley White
Cyber-risk oversight handbook for corporate boards that includes good practices and lessons learned to improve #cybersecurity in companies
Download here
ESP https://www.oas.org/ManualRiesgoCiberESP …
ENG https://www.oas.org/CyberRiskManualENG …
POR https://www.oas.org/ManualRiscoCiberPOR …
Join the Community IT monthly webinar series as we discuss the latest trends in IT Security for Nonprofits. Make IT Security a priority for your nonprofit in 2016.
Top 10 leading fraud detection and prevention solution providersMerry D'souza
CIOLOOK comes up with its edition of Top 10 Leading Fraud Detection and Prevention Solution Providers. Featuring it’s Cover Story is – Kaspersky is to save the world. Kaspersky is a global cybersecurity company founded in 1997 with its roots in antivirus solutions. Its mission is simple: to build a safer world.
When a Data Breach Happens, What's Your Plan?Edge Pereira
Ashley Madison, Sony, Kapersky Labs, LastPass, CentreLink, G20 event in Brisbane…What do they all have in common? They were victims of data breaches. And as you probably know by now, some were handled better than others. In this session we will talk about strategies, from mitigation to handling, used when a data breach happens (not “if”) and what controls do we have if you are using Office 365.
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Citrin Cooperman
To help not-for-profit entities protect their information during these unprecedented times, this webinar will cover challenges organizations face in preventing, detecting, and responding to cybersecurity-related activities. We discussed recent cyber breaches within not-for-profit organizations and considerations and actions you can take.
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...Citrin Cooperman
Sign up for our weekly C-Suite Snacks webinars here: https://www.citrincooperman.com/infocus/c-suite-snacks
Our C-Suite Snacks webinar series provides the middle market with brief, strategic, and tactical business improvement information for 30 minutes every week. Join Citrin Cooperman live every Thursday at noon for snack-sized insights for business executives.
It’s no secret that companies around the world are under attack. Prior to COVID-19, breach rates were on the rise, but now hackers have only become more aggressive in their attempt to steal or hijack your data to try to extort money and do irreparable harm to your company’s reputation.
In this C-Suite Snacks webinar, we covered how to combat these attacks by understanding the risks and preparing to respond.
Key Takeaways:
- An overview of the latest breach statistics and trends
- Knowledge on the methods hackers are using to infiltrate organizations
- Methods to prepare your organization for attack and response
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemIBM Security
What could cybersecurity look like in the cognitive era? Organizations are facing a number of well-known security challenges and these challenges are leading to gaps in intelligence, speed, and accuracy when it comes to threats and incidents. The gaps can’t be addressed by simply scaling up legacy processes and infrastructure - new approaches are needed, and cognitive security solutions may help address these gaps. IBM conducted a survey of over 700 security professionals leaders and practitioners from 35 countries, representing 18 industries to get a sense for what challenges they are facing, how they are being addressed, and how they view cognitive security solutions as a potential powerful new tool.
Join us as Diana Kelley, Executive Security Advisor in IBM Security, and David Jarvis, Functional Research Lead for CIO and Cybersecurity in the IBM Institute for Business Value, discuss findings from the 2016 Cybersecurity Study "Cybersecurity in The Cognitive Era: Priming your Digital immune system"
This webinar will cover an overview of the study findings, including:
Security challenges, shortcomings and what security leaders are doing about them
Views on cognitive security solutions - how they might help, readiness to implement and what might be holding them back
What those that are ready to implement cognitive enabled security today are thinking and doing
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
Although Sony seemed to dominate the cyber-security headlines of 2014, it was just one of many corporations infiltrated by an increasingly sophisticated and driven pool of hackers. J.P. Morgan Chase, Home Depot, and Target also top the list of businesses struggling with data breaches.
The most recent major cyberattack against Anthem Healthcare shook the insurance industry. In a rare show of honesty, the insurer began alerting customers and the media to the potential of a data break just eight days after it first noted suspicious activity on Jan. 27, 2015.
Immediately upon discovering it had been attacked, Anthem jumped to address the security vulnerability, contacted the FBI, and hired leading cyber-security firm Mandiant to evaluate its systems, said president and CEO Joseph Swedish in a statement.
Noting the importance of protecting financial institutions, New York's Department of Financial Services responded to the Anthem breach by announcing its intent to integrate regular assessments of cyber-security preparedness at insurance companies as part of its examination process. It will also enforce "enhanced regulations" on insurers based in New York.
"Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses," said Benjamin M. Lawsky, New York State's superintendent of financial services, in a statement. He continued, "Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.“
Most people might expect that larger insurers, given the sensitive customer information they handle, would boast robust cyber-security programs. This is not necessarily true.
As part of its investigation, the Department found that 95% of insurers already think they have sufficient staff for information security, and just 14% of CEOs receive monthly briefings on data security. Anthem, the nation's second-largest health insurer, had not even encrypted its database containing nonmedical data. It claims that the HIPAA did not require it to do so.
While experts believe that Anthem was exclusively targeted in its attack, there is no doubt that all financial institutions are at risk. Here are eight things to know as the industry enters a year of increasingly heightened cyber-vulnerability.
Cybersecurity Critical Infrastructure Threats and Examples 2022- Presentation...Certrec
A presentation from Certrec showcasing the cybersecurity threats plaguing critical infrastructure in the United States. Includes examples of major cyber attacks within the past few years.
To learn how Certrec's cyber security solutions can help keep your power plant secure from threats, visit: https://www.certrec.com/
Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/
We are witnessing an onslaught of attacks coming in from highly organized cybercriminals. It is so bad, in fact, that the situation was recently described by U.S. Secretary of State, John Kerry as, “…pretty much the wild west…”.
By United Security Providers
"Evolving cybersecurity strategies" - Seizing the OpportunityDean Iacovelli
Why does security feel like the most frustrating challenge in government IT ? In part because security in a cloud-first, mobile-first world calls for new approaches. Data is accessed, used, and shared on-prem and in the cloud – erasing traditional security boundaries. We’ll examine current trends in cyber security and some resulting strategy shifts that have the potential to greatly enhance public sector organizations’ ability to balance risk and access, better detect and respond to attacks and just make faster and more coordinated cybersecurity decisions overall. Follow-on sessions in the series will delve more deeply into specific facets of an overall cybersecurity strategy.
The Security Director's Practical Guide to Cyber SecurityKevin Duffey
Presented at the annual UK Security Expo in London, to help traditional Security Directors understand and feel confident about the practical ways in which their role should extend to cyber security issues. This presentation was followed by a simple cyber attack simulation (not shown here).
Presented by Barrie Millett and Kevin Duffey of Cyber Rescue.
M-Trends® 2013: Attack the Security GapFireEye, Inc.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
Top Application Security Trends of 2012DaveEdwards12
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
Cyber-risk Oversight Handbook for Corporate BoardsCheffley White
Cyber-risk oversight handbook for corporate boards that includes good practices and lessons learned to improve #cybersecurity in companies
Download here
ESP https://www.oas.org/ManualRiesgoCiberESP …
ENG https://www.oas.org/CyberRiskManualENG …
POR https://www.oas.org/ManualRiscoCiberPOR …
Join the Community IT monthly webinar series as we discuss the latest trends in IT Security for Nonprofits. Make IT Security a priority for your nonprofit in 2016.
Top 10 leading fraud detection and prevention solution providersMerry D'souza
CIOLOOK comes up with its edition of Top 10 Leading Fraud Detection and Prevention Solution Providers. Featuring it’s Cover Story is – Kaspersky is to save the world. Kaspersky is a global cybersecurity company founded in 1997 with its roots in antivirus solutions. Its mission is simple: to build a safer world.
When a Data Breach Happens, What's Your Plan?Edge Pereira
Ashley Madison, Sony, Kapersky Labs, LastPass, CentreLink, G20 event in Brisbane…What do they all have in common? They were victims of data breaches. And as you probably know by now, some were handled better than others. In this session we will talk about strategies, from mitigation to handling, used when a data breach happens (not “if”) and what controls do we have if you are using Office 365.
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Citrin Cooperman
To help not-for-profit entities protect their information during these unprecedented times, this webinar will cover challenges organizations face in preventing, detecting, and responding to cybersecurity-related activities. We discussed recent cyber breaches within not-for-profit organizations and considerations and actions you can take.
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...Citrin Cooperman
Sign up for our weekly C-Suite Snacks webinars here: https://www.citrincooperman.com/infocus/c-suite-snacks
Our C-Suite Snacks webinar series provides the middle market with brief, strategic, and tactical business improvement information for 30 minutes every week. Join Citrin Cooperman live every Thursday at noon for snack-sized insights for business executives.
It’s no secret that companies around the world are under attack. Prior to COVID-19, breach rates were on the rise, but now hackers have only become more aggressive in their attempt to steal or hijack your data to try to extort money and do irreparable harm to your company’s reputation.
In this C-Suite Snacks webinar, we covered how to combat these attacks by understanding the risks and preparing to respond.
Key Takeaways:
- An overview of the latest breach statistics and trends
- Knowledge on the methods hackers are using to infiltrate organizations
- Methods to prepare your organization for attack and response
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemIBM Security
What could cybersecurity look like in the cognitive era? Organizations are facing a number of well-known security challenges and these challenges are leading to gaps in intelligence, speed, and accuracy when it comes to threats and incidents. The gaps can’t be addressed by simply scaling up legacy processes and infrastructure - new approaches are needed, and cognitive security solutions may help address these gaps. IBM conducted a survey of over 700 security professionals leaders and practitioners from 35 countries, representing 18 industries to get a sense for what challenges they are facing, how they are being addressed, and how they view cognitive security solutions as a potential powerful new tool.
Join us as Diana Kelley, Executive Security Advisor in IBM Security, and David Jarvis, Functional Research Lead for CIO and Cybersecurity in the IBM Institute for Business Value, discuss findings from the 2016 Cybersecurity Study "Cybersecurity in The Cognitive Era: Priming your Digital immune system"
This webinar will cover an overview of the study findings, including:
Security challenges, shortcomings and what security leaders are doing about them
Views on cognitive security solutions - how they might help, readiness to implement and what might be holding them back
What those that are ready to implement cognitive enabled security today are thinking and doing
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
Although Sony seemed to dominate the cyber-security headlines of 2014, it was just one of many corporations infiltrated by an increasingly sophisticated and driven pool of hackers. J.P. Morgan Chase, Home Depot, and Target also top the list of businesses struggling with data breaches.
The most recent major cyberattack against Anthem Healthcare shook the insurance industry. In a rare show of honesty, the insurer began alerting customers and the media to the potential of a data break just eight days after it first noted suspicious activity on Jan. 27, 2015.
Immediately upon discovering it had been attacked, Anthem jumped to address the security vulnerability, contacted the FBI, and hired leading cyber-security firm Mandiant to evaluate its systems, said president and CEO Joseph Swedish in a statement.
Noting the importance of protecting financial institutions, New York's Department of Financial Services responded to the Anthem breach by announcing its intent to integrate regular assessments of cyber-security preparedness at insurance companies as part of its examination process. It will also enforce "enhanced regulations" on insurers based in New York.
"Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses," said Benjamin M. Lawsky, New York State's superintendent of financial services, in a statement. He continued, "Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.“
Most people might expect that larger insurers, given the sensitive customer information they handle, would boast robust cyber-security programs. This is not necessarily true.
As part of its investigation, the Department found that 95% of insurers already think they have sufficient staff for information security, and just 14% of CEOs receive monthly briefings on data security. Anthem, the nation's second-largest health insurer, had not even encrypted its database containing nonmedical data. It claims that the HIPAA did not require it to do so.
While experts believe that Anthem was exclusively targeted in its attack, there is no doubt that all financial institutions are at risk. Here are eight things to know as the industry enters a year of increasingly heightened cyber-vulnerability.
Cybersecurity Critical Infrastructure Threats and Examples 2022- Presentation...Certrec
A presentation from Certrec showcasing the cybersecurity threats plaguing critical infrastructure in the United States. Includes examples of major cyber attacks within the past few years.
To learn how Certrec's cyber security solutions can help keep your power plant secure from threats, visit: https://www.certrec.com/
Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/
Slides from Simson Garfinkel's "Cybersecurity Mess" talk, explaining why we won't make progress on computer security until we solve several other important items.
Presented April 25, 2012 to the MIT Industrial Liaison Program.
What have we learned from 2017's biggest breaches and how will we deal with 2018's emerging threats? Attempting to look both backward and forward over the cyber landscape, Peter Wood will review lessons learned and apply them to the evolving threatscape.
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?360mnbsu
The Internet of Things (IoT) has the potential to drive new innovation in products, services, and improve "how things are done" in manufacturing. However IoT also brings-to-light safety and security issues when purpose-built computing and network devices are exposed to the internet. This session will review case studies of IoT enabled exploits, explore some of the underlying cause of the vulnerabilities, and briefly review of steps vendors and end-users are taking to mitigate the risk.
From the 2014 Taking Shape Summit: The Internet of Things & the Future of Manufacturing.
The frequency and impact of cyber attacks have escalated cybersecurity to the top of Board agendas. Institutions are no longer asking if they are vulnerable to cyber attacks. Instead, the focus has shifted to how the attack might be executed, risks and impact. Most importantly, their organisational readiness and resilience to such threats.
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
Presented by: Gib Sorebo, SAIC
Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docxalinainglis
54 Chapter 1 • The Threat Environment
FIGURE 1-18 Cyberwar and Cyberterror (Study Figure)
Nightmare Threats
Potential for far greater attacks than those caused by criminal attackers
Cyberwar
Computer-based attacks by national governments
Espionage
Cyber-only attacks to damage financial and communication infrastructure
To augment conventional physical attacks
Attack IT infrastructure along with physical attacks (or in place of physical attacks)
Paralyze enemy command and control
Engage in propaganda attacks
Cyberterror
Attacks by terrorists or terrorist groups
May attack IT resources directly
Use the Internet for recruitment and coordination
Use the Internet to augment physical attacks
Disrupt communication among first responders
Use cyberattacks to increase terror in physical attacks
Turn to computer crime to fund their attacks
espionage.87 Cyber espionage from China has been a serious problem since 1999.88
The Chinese government has been involved in, or sponsored, attacks aimed at the State
Department, Commerce Department, Senators, Congressmen, and US military labs.89
Cyberwar attacks can be launched without engaging in physical hostilities and still do
tremendous damage. Countries can use cyberwar attacks to do massive damage to one
another’s financial infrastructures, to disrupt one another’s communication infrastructures,
and to damage the country’s IT infrastructure all as precursors to actual physical hostilities.
Cyberterror
Another nightmare scenario is cyberterror, in which the attacker is a terrorist or group of
terrorists.90 Of course, cyberterrorists can attack information technology resources directly.
They can damage a country’s financial, communication, and utilities infrastructure.91
87 Dawn S. Onley and Patience Wait, “Red Storm Rising,” GCN.com, August 21, 2006. Keith Epstein, “China
Stealing U.S. Computer Data, Says Commission,” Business Week, November 21, 2008. http://www.businessweek.
com/bwdaily/dnflash/content/nov2008/db20081121_440892.htm.
88 Daniel Verton and L. Scott Tillett, “DOD Confirms Cyberattack ‘Something New’,” Cnn.com, March 6, 1999.
89 Josh Rogin, “The Top 10 Chinese Cyber Attacks (that we know of),” ForeignPolicy.com, January 22, 2010.
90 Although organized terrorist groups are very serious threats, a related group of attackers is somewhat dan-
gerous. These are hacktivists, who attack based on political beliefs. During tense periods between the United
States and China, for instance, hacktivists on both sides have attacked the IT resources of the other country.
91 In 2008, the CIA revealed that attacks over the Internet had cut off electrical power in several cities. Robert
McMillan, PC World, January 19, 2008. http://www.pcworld.com/article/id,141564/article.htm?tk=nl_dnxnws.
Chapter 1 • The Threat Environment 55
Most commonly, cyberterrorists use the Internet as a recruitment tool through
websites and to coordinate their activities.92 They can also use cyberterror in conjunc-
tion with .
Nominum Data Science Security Report, Fall 2016Brian Metzger
Nominum’s “Data Revelations” analyzes some of the biggest cyberthreats impacting organizations and individuals today, including ransomware, DDoS, mobile malware and IoT-based attacks. Since DNS is the launch point for over 90% of cyberattacks, it offers a superior vantage point from which to examine, understand, thwart and proactively prevent threats. By applying machine learning, artificial intelligence, natural language processing and neural networks, Nominum Data Science is able to predict and prevent some of the most sophisticated and dangerous cyberthreats to ever hit the internet.
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Kyle Lai
What is CyberSecurity? Who are the threats? Why is cyber attack happening? How bad is it? How do attackers do it? What can we learn from Star Wars?
This presentations Cyber Attacks, State of CyberSecurity, some guidance for the students interested in getting into the field, and some great resources.
When you’re planning to move to the cloud and manage a hybrid environment, security is a top concern. But cloud is not necessarily less secure than a traditional environment. In fact, it may be possible to deliver even greater security in a hybrid cloud environment because it offers new and advanced opportunities.
In this eBook, you’ll discover how hackers are using traditional tactics in new ways to attack the cloud. You’ll also find out how the cloud can help you increase security with innovative approaches designed to detect threats long before they threaten your enterprise.
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
Intelligence Analyst Selena Larson, Sr. Adversary Hunter Joe Slowik, and Sr. Adversary Hunter Amy Bejtlich overview the 2018 Year in Review report detailing the eight ICS threat activity groups Dragos' Intelligence team tracks and the changing threat landscape.
Cyber attackers are better funded, more focused, and more successful than ever. Making matters worse, defenders have more IT territory to protect, including public cloud, virtual infrastructure, mobile, Internet of Things, and an expanding list of users, applications, and data. An evolution in security strategies is underway; shifting from a preventive approach to one that is more balanced across prevention, monitoring, and response. In this session, we delve into key innovations that enable a more effective defense and how RSA’s NetWitness suite is delivering many of these innovations.
Similar to 2019 10-22 axio - taking control of cyber risk - grid-seccon (20)
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
3. Chief Technology Officer // ICS Security Lead
JASON CHRISTOPHER
▪ Leads critical infrastructure strategy at
Axio; actively involved in platform
development
▪ Certified SANS Instructor for ICS
▪ Frequent speaker at conference and client
events
▪ Federal energy lead for several industry
standards and guidelines, including NERC
CIPv5, NIST CSF, and the C2M2
▪ Incident response and risk
management lead for DOE
▪ Security metrics development across
EPRI and other research organizations
▪ Began career building control systems
at a utility
▪ MS, Electrical Engineering, Cornell
▪ Based in Atlanta, GA
4
4. BEFORE
we’ve talked about this
Smaller beard, but still dashing
▪ Measure in dollars, move away from colors
▪ Link to insurance policies, like property &
casualty, to link to the CFO
▪ Get invited to the board room and stay there!
Today we’ll use one key metric
Also wrote something for the SANS Reading Room
5
5. ▪ Name
▪ Where you’re from
▪ Role(s)?
▪ Cyber risk experience?
▪ Expectations
introductions
6
6. AND CYBER RISK
a little about us
Cyber Risk Quantification
Prioritization
Cybersecurity Assessment
Insurance Stress Testing
What’s my exposure in financial terms?1.
How mature is my cyber program?2.
Do I have the financial ability to recover?3.
Where should I invest?4.
Axio’s unique methodology and software that helps
answer the four most critical questions for cyber risk:
7
10. GETTING DATA IS HARD
myth #1
Then you’re doing this wrong
▪ What can you measure? Start somewhere
▪ Understand that metrics improve with time (only
barbarians measure in “stones” and “feet”)
▪ Resources may be constrained at first
▪ But if you don’t try, it won’t get better
You really mean “I need the right starting point”
Literally, just do something.
11
11. SECURITY IS AN ART
myth #2
Really bad argument here…
▪ Can you document something?
▪ Can you count something?
▪ Observe the trends where you can
There’s measurement in almost everything
Literally, just do anything.
12
12. THIS TAKES TOO MUCH TIME
myth #3
Engineering 101: “Optimize within your
constraints.”
▪ Team of 1? That still works (more on this later)
▪ Don’t boil the ocean and don’t build a team to
“admire the problem.”
▪ Anything worth doing takes time and effort!
Size your efforts to your team
“If you’re not keeping score, you’re
just practicing” – Vince Lombardi
13
13. ▪ Leads to a sense of false equivalency– both in description of the risk and how the risk should be addressed.
A ROCKY ONE…
our story so far is…
We’re unlike other parts of the business, “security” has some
communication issues:
Defining “cyber risk” comparative to other risks across operations
▪ No clear consensus on the metrics
▪ Creating a metrics program may compete against actual protective controls
▪ Identifying the right audience for risk metrics is… exhausting.
Creating metrics to measure performance of both the security program and threats
The cyber risk profession needs to play “catch up” and fast.
14
19. metrics and
OPERATIONS
safety and security
CULTURE
with leadership
APPLICABILITY
Understanding the terms of
art
Tools to translate between
silos
Key categories of cyber risk
Property damage
Environmental damage
Computer systems damage
Mechanics of risk
management
Risk transfer challenges and
optimization
Effective controls to minimize
the risk
20
20. START?
where do we
Use the tools you already have at
your disposal
▪ Already used to report on capabilities (if done right)
▪ With a few minor tweaks (and breaking a few silos),
every exercise can help quantify cyber risk.
Security teams: table top exercises!
21
23. ▪ Iran’s Natanz uranium enrichment facility
▪ Extensive physical damage:
1000 industrial centrifuges were
damaged or destroyed by overtaking the
industrial control system and changing
motor speeds while sending fake signals
to control room to indicate normal
conditions
▪ Control system was “air-gapped.”
Malware was hidden on USB drive
▪ Considered to be the first cyber attack
resulting in major physical damage
2009: Destructive attack of industrial control system
Stuxnet
The Telegraph, 30 Nov 2010
http://securityaffairs.co/wordpress/4544/hacking/stuxnet-duqu-update-on-cyber-weapons-usage.html
24
24. ▪ Cyber attack on steel mill via spear phishing
• Disrupted industrial control system for blast
furnace
• Furnace could not be shut down
• Resulted in “massive” unspecified damage
▪ Revealed by German Federal Office for
Information Security (BSI) in December 2014.
Few details are known about the event;
Germans remain quiet.
▪ Motive is unclear
2014: Germany
Destructive Attack — Steel Mill
25
25. Highly coordinated efforts were
synchronized against three power
distribution utilities
1. SCADA hijack with malicious operation
to open breakers
2. Disconnected backup power & flooded
call centers to delay outage response
3. Corrupted firmware on communication
devices at substations and wiped
workstations & servers to amplify
attack
Results could be more impactful in US due
to our heavy reliance on automation and
relative inexperience with manual
operations.
Coordinated Attack — Ukrainian Power Outage, Dec 2015
225,000
customers
lost power
for < 6 hrs
135 MW
26
26. ▪ 1.25-hour outage at one transmission
substation outside Kiev, Dec 2016
▪ 200 MW power loss = 1/5 of power
necessary for Kiev
▪ Investigation pending…
▪ Attacks at the transmission level have
more widespread impact
Transmission attack
Ukrainian Power Outage 2016
27
27. ▪ Campaign targeting energy firms —
since 2011, dramatic uptick in 2017
▪ More than 20 companies’ networks were
penetrated; in a ‘handful’, the attackers
made obtained access to “control of the
interfaces power company engineers use
to send actual commands to equipment
like circuit breakers.”
▪ Such access would allow similar attacks
to Ukraine 2015.
Reported by Symantec — Sept. 2017
Dragonfly 2.0
[Greenberg 2017b]
28
28. U.S. Pipelines, April 2018
▪ Attackers targeted Latitude Technologies, a Texas-
based provider of electronic data interchange (EDI)
services
▪ Latitude provides EDI and other technology
services to more than 100 entities
▪ Gas service was not affected, though several
companies reported interruptions to their
communications including
• Oneok
• Energy Transfer Partners
• Boardwalk Pipeline Partners
• Eastern Shore Natural Gas
▪ Solid example of cyber affecting third-party
organizations
Attack on EDI vendor causes communications disruptions
29
29. ▪ SIS are uniquely configured per facility and provide the last
line of defense to preserve safety in any off-normal event.
▪ Attacker achieved access to and control of both industrial
control system and SIS.
▪ While attacker had control of SIS, a bug in their code
caused the SIS to crash, shut down facility, and then the
discovery of the intrusion.
▪ Reverse engineering found the RAT (remote access Trojan)
but not the attack module(s).
▪ Attacker ‘owned’ the entire ICS network and could have
easily initiated shutdown or stolen process information.
▪ Attacker also went after SIS, clearly indicating that they
wanted to cause harm to people and damage to equipment.
2017 attack on critical infrastructure Safety Instrumented System (SIS)
TRITON/TRISIS ICS Attack
30
30. ▪ 230 companies in more than 150 countries
▪ Leveraged ‘Eternal Blue’ — an exploit developed by NSA based on a flaw in
Microsoft Window’s Server Message Block (SMB) protocol
▪ Attack halted when cyber researcher discovered and activated kill switch
12 May 2017
Wannacry Ransomware Outbreak
Animated map from New York Times, accessed 2017-05-14
https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html 32
31. ▪ Data wiper disguised as a ransom-worm
▪ Originated in Ukraine but spread globally
▪ Exploited the Eternal Blue vulnerability (NSA)
▪ 2M computers within 2 hours of release
▪ Many prominent firms were impacted. Cyence
estimates $850M in damages. Maersk reports
$200-300M in damages.
▪ Motive and origin are a mystery, but many believe
that it was targeted to damage Ukraine or serve as
a smokescreen
27 June 2017
Petya/Nyetya/Not Petya
33
32. Data Destruction — Shamoon timeline
2012 2013 2014 2015 2016 2017
Aug 2012
RasGas
Similar attack
Aug 2012
Saudi Aramco
35,000 computers wiped,
rendered inoperable
10-day recovery
Feb 2014
Las Vegas Sands
Data stolen; 1000’s of
computers wiped
CEO Adelson had
called for nuking Iran
Nov 2016
6 Saudi Agencies
Shamoon time-bombs
synchronized
Computer date change
preceded attack
Nov 2014
Sony Pictures
Data stolen & crippling
data destruction
The Interview
Jan 23, 2017, 9:02 am
≥ 7 Saudi Orgs
Hit at least 3 gov’t & 4
private orgs; several
petrochem
34
33. In addition to tangible destruction and data destruction, we should be aware of these
Other Common Cyber Risk Categories
Theft or Loss
of Data
Personal data, credit card data,
business data — any data with
black-market or competitive
value is at risk
Historically, the primary cyber
peril
Motive: financial or competitive
gain, extortion, intel gathering
Business Email
Compromise
Theft of funds through cyber
trickery
Up 1300% since early 2015; FBI
reports 22,143 victims and $3.1
billion stolen through mid 2016
Motive: financial
Communications
Disruption
Website or network disruption;
website defacement; social
media takeover
DDOS attacks have dramatically
increased in severity
Motive: financial, ideological,
extortion, terrorism, or war
35
34. Threat climate takeaways
▪ Increasing threat actor capabilities for industrial control
system attacks
• Safety system attacks are a new front, very concerning
• Automated attack frameworks represent considerable risk
• Increased signals that physical damage is being attempted
▪ Relative likelihood
• Motive is a big differentiator, but is not the sole factor
• NotPetya damaged many organizations opportunistically,
as worms typically will
• Cyber-physical attacks are less likely, but have the potential
for catastrophic impact
▪ Bottom line: we are all at increasing risk
Cyber-physical attacks
less likely, but large potential impact,
example: TRITON/TRISIS
Availability events
more likely, disruption-oriented
examples: ransomware, worms
36
36. This session will be a mock quantification workshop
Fictitious company profile
Workshop overview
Mini-process based on a pre-planned loss scenario
Wrap-up discussion
Overview
Quantifying Cyber Exposure Exercise
GOAL: Demonstrate cyber risk quantification methods
• Workshop typically requires ~1 day
• We will shortcut some workshop elements 3838
37. ▪ Warner City-based, large-sized independently owned utility
• Transmission, Distribution, Telecommunications, Natural Gas
• 5,000,000 customers
• New AMI project being rolled out
▪ 2018 revenue: $20 billion
Company profile
Acme Utilities
Yes, this is made up.
No, you should not “fight the
scenario”
Utilities
39
38. # Name Role
1. Wile E. Coyote ACME Risk Manager; workshop co-host; responsible for ERM and risk transfer program
2. Ray Wilson ACME SVP for IT; workshop co-host; responsible for enterprise IT operations
3. Mike Shuster ACME CISO; responsible for enterprise security, physical and logical, IT and OT
4. Nader White ACME Senior Counsel, Chief Privacy Officer
5. David Young ACME Director of Distribution Operations
6. Lisa Curtis ACME Director of Water Operations
7. Scott Mehravari ACME Director of Finance & Supply Chain
8. Pamela Fry ACME Director of Metering
9. Jason Kannry ACME Director of Telecommunications Operations
10. Dan Brown ACME Insurance Program Lead
11. Kevin Gonzalez ACME Director of Engineering
12. Julia Moore Axio Co-Facilitator
13. Nikki Bogle Axio Co-Facilitator
Quantification Workshop Participants
40
39. Quantification Process Overview
Brainstorm
Scenarios
Select
Priority
Scenarios
Quantify
Impact
▪ Brainstorm cyber loss scenarios that would impact operations
▪ Use brainstorming framework to consider various scenario types
▪ Identify many scenarios with large potential impacts
▪ Select and rank a subset of the scenarios considered to pose the
largest operational and financial impact
▪ Objective is to identify 5-10 scenarios
▪ For each scenario, estimate impact using taxonomy worksheet
▪ Objective is to complete estimates for as many of the selected
scenarios as possible in the time available
41
41. ▪ Elements:
• Scenario # (sequential)
• Who (the actor or an event)
• Their motive (if applicable)
• What they did or what happened (the action)
• The result on operations, data, systems, or other business elements
• Final outcome/damages of the action or event (data compromised, equipment or
facilities damaged, revenues lost, and so forth)
• Lines of business (or categories of operations) affected
▪ For example:
Scenario 12: A financially motivated cyber actor infects our finance and customer
management systems with ransomware, which renders them inoperable and causes
the loss of all billing, customer, and employee data. Multiple lines of business are
affected, including paychecks for employees. We are unable to complete any financial
transactions or manage customer accounts, resulting in revenue and customer service
delays. We ultimately pay the ransom, but the system was unavailable for 2 weeks.
Model Loss Scenario
Ask the question: What keeps you up at night? 43
42. Scenario Brainstorm FrameworkCyberEventVectors
Data theft; Cyber espionage; IP Theft
• Loss of IP
• Loss/disclosure of PII, PHI, PCI
Data destruction or alteration
Network interruption or outage
• DDOS (internal or external)
• Network infrastructure attacks
• Dependent parties (e.g. cloud)
Cyber theft of funds
Attacks on control systems
• Controls takeover
• Plant & machinery damage
• Production outage or issues
Cyber extortion
(likely combined with one of above)
Other
1
2
3
4
5
6
7
44
43. Scenario Brainstorm FrameworkCyberEventVectors
Data theft; Cyber espionage; IP Theft
• Loss of IP
• Loss/disclosure of PII, PHI, PCI
Data destruction or alteration
Network interruption or outage
• DDOS (internal or external)
• Network infrastructure attacks
• Dependent parties (e.g. cloud)
Cyber theft of funds
Attacks on control systems
• Controls takeover
• Plant & machinery damage
• Production outage or issues
Cyber extortion
(likely combined with one of above)
Other
1
2
3
4
5
6
7
Acme Utilities Operations
Telecomm Distribution Gas New
AMI
Business
Operations
Other
A B C D E F
45
44. Utilities
Summary results
Cyber Loss Scenario Brainstorming
▪ After the brainstorming framework was presented and discussed, a total of 42
scenarios were brainstormed by the participants, and were captured on flip charts
in the workshop room.
▪ Over lunch, each participant selected the scenarios they were most concerned
about from an impact perspective. Votes were tallied to develop a priority list of
top scenarios.
▪ The following page shows an example brainstorming framework and highlights
the 4 selected scenarios as a result of the prioritization process.
46
45. Acme Utilities Operations
Telecomm Power Gas New
AMI
Business
Operations
Other
A B C D E F
Top ScenariosCyberEventVectors
Data theft; Cyber espionage; IP Theft
• Loss of IP
• Loss/disclosure of PII, PHI, PCI
Data destruction or alteration
Network interruption or outage
• DDOS (internal or external)
• Network infrastructure attacks
• Dependent parties (e.g. cloud)
Cyber theft of funds
Attacks on control systems
• Controls takeover
• Plant & machinery damage
• Production outage or issues
Cyber extortion
(likely combined with one of above)
Other
1
2
3
4
5
6
7
1. PCI and
employee
data theft
4. Gas billing
ransomware
2. Shamoon-type wiper event across all business units
3. ICS malware
component
3. Operational Disruption with a communications network distractor
47
46. New AMI and Smart Grid Integration
A vision for ACME’s future!
• Received federal grant money for a new smart grid AMI installation and worked with
WECE on design and implementation.
• Uses state-of-the-art wireless technology to provide operational visibility and big data
analytics across not only the AMI capabilities, but ACME’s unique broadband utility
and water operations.
• Awarded “Most Beautiful Inverter Design” by IEEE Power Engineering Society
48
47. ▪ Motivated political or environmental actor
▪ Combines two attack types – one targeting the wireless network to distract operators, the
other on ACME’s AMI
▪ The attackers exploit a misconfiguration in ACME’s wireless network, and execute an attack
that disrupts communication of metering data, creating confusion about the status of the
power operations.
▪ Attackers install ransomware on operator terminals and disable the telecommunications
across the shared broadband, water, and AMI networks
▪ The final stage of the attack executes a remote disconnect to a large number of meters and
“bricks” a smaller subset. Since communications are down, ACME needs to manually restore
or replace the meters.
Operational Disruption with a Communications Network Distractor
Scenario 3:
We’ll take a few minutes to read the scenario;
then we’ll begin quantifying the cyber risk! 49
49. Impact
First Party Impacts Third Party Impacts
FinancialImpactsTangibleImpacts
The Axio Quadrants
taxonomy for cyber events
Your income
and expenses
Others’ income
and expenses
Your people,
property, and
environment
Others’ people,
property, and
environment
51
50. Top Quadrants: Financial Impacts
Some of these impacts are data-breach centric; many could apply to any event.
Financial
Impacts
First Party Impacts Third Party Impacts
• Response costs: forensics, notifications,
credit monitoring
• Legal expenses: advice and regulatory filings
• Lost income from network or computer
outages, including cloud
• Theft of funds, monies, or securities
• Cost of restoring lost data
• Cyber extortion expenses
• Value of stolen intellectual property
• Other financial damages
• Consequential lost income
• Restoration expenses
• Legal defense
• Civil fines and penalties
• Shareholder losses
• Other financial damages
52
51. Bottom Quadrants: Tangible Impacts
These impacts are of increasing concern to all companies, especially critical infrastructure
Tangible
Impacts
First Party Impacts Third Party Impacts
• Mechanical breakdown
of your equipment
• Destruction or damage to
your facilities or other property
• Environmental cleanup of
your property
• Lost income from physical damage to your (or
dependent) equipment or facilities (business
interruption)
• Bodily injury to your employees
• Other tangible damages
• Mechanical breakdown
of others’ equipment
• Destruction or damage to others’ facilities or
other property
• Environmental cleanup
of others’ property
• Bodily injury to others
• Product liability
• Product recall expenses
• Other tangible damages
53
52. Impact Category Assumptions Estimate (ranges are ok)
Response costs:
forensics, notifications,
credit monitoring
Legal advice
Revenue losses from
network, cloud, or
computer outages
Cost of restoring lost
data
Cyber extortion
payments
Value of stolen
intellectual property
Reputational harm
TOTAL
First-Party Financial Impacts
54
53. Impact Category Assumptions Estimate (ranges are ok)
Response costs:
forensics, notifications,
credit monitoring
Forensics Team Hourly Rate ($250) * Forensics Team Weeks (5) *
Forensics Team Size (4) * Forensics Team Hours per week (60)
$300,000
Legal advice
Revenue losses from
network, cloud, or
computer outages
[Annual Revenue (365m) / Days in Year (365)] *
Days of Lost Revenue (10)
$10,000,000
Cost of restoring lost
data
Cyber extortion
payments
Value of stolen
intellectual property
Reputational harm
TOTAL $10,300,000
First-Party Financial Impacts
55
54. Impact Category Assumptions Estimate (ranges are ok)
Consequential
revenue losses
Restoration expenses
Legal defense
Shareholder losses
(including D&O suits)
Other financial
damages
TOTAL
Third-Party Financial Impacts
56
55. Impact Category Assumptions Estimate (ranges are ok)
Consequential
revenue losses
Restoration expenses
Legal defense
Shareholder losses
(including D&O suits)
Other financial
damages
Civil fines and penalties from regulators $20,000,000 - $40,000,000
TOTAL $20,000,000 - $40,000,000
Third-Party Financial Impacts
57
56. Impact Category Assumptions Estimate (ranges are ok)
Mechanical
breakdown
of your equipment
Destruction or damage
to your facilities or
other property
Environmental cleanup
of your property
Lost revenues from
physical damage to
your (or dependent)
equipment or facilities
(business interruption)
Bodily injury to your
employees
TOTAL
First-Party Tangible Impacts
58
57. Impact Category Assumptions Estimate (ranges are ok)
Mechanical
breakdown
of your equipment
Firmware damage to computing equipment:
[Control System Server Count (100) * Server Cost ($10,000)] +
[Workstations (500) * Workstation Cost ($1,000)] +
[Switches (150) * Switch Cost ($2,000)]
$2,150,000
Destruction or damage
to your facilities or
other property
Environmental cleanup
of your property
Lost revenues from
physical damage to
your (or dependent)
equipment or facilities
(business interruption)
Bodily injury to your
employees
TOTAL $2,150,000
First-Party Tangible Impacts
59
58. Impact Category Assumptions Estimate (ranges are ok)
Mechanical
breakdown
of others’ equipment
Destruction or damage
to others’ facilities or
other property
Environmental cleanup
of others’ property
Bodily injury to others
TOTAL
Third-Party Tangible Impacts
60
59. Impact Category Assumptions Estimate (ranges are ok)
Mechanical
breakdown
of others’ equipment
Destruction or damage
to others’ facilities or
other property
[Compromised Partner Servers (20) * Partner Server Cost ($2000)] +
[Compromised Partner Workstations (50) * Partner workstation cost
($500)]
$65,000
Environmental cleanup
of others’ property
Bodily injury to others
TOTAL $65,000
Third-Party Tangible Impacts
61
60. ▪ Develop rough estimates of the potential impact from the selected scenarios by
loss category
• Use impact analysis worksheet
• Note: impact estimates are not necessary for all loss categories; rough estimates for
categories of highest impact will suffice.
• Feel free to use Google or “call a friend,” but make this quick!
• Each table should be prepared to talk about their assumptions and ranges.
Assignment time!
Estimate Potential Impact per Scenario
What decreases impact costs? (MAKE ASSUMPTIONS)
• Additional cybersecurity capabilities– what’s missing?
• Engineered resilience– could this be prevented?
• How to talk about cyber risk and dollars to executives? 62
63. metrics and
OPERATIONS
safety and security
CULTURE
with leadership
APPLICABILITY
Understanding the terms of
art
Tools to translate between
silos
Key categories of cyber risk
Property damage
Environmental damage
Computer systems damage
Mechanics of risk
management
Risk transfer challenges and
optimization
Effective controls to minimize
the risk
65
64. HEAT MAPS
ARE DEAD
long live heat maps
Impact
Catastrophic (5) 6 7 8 9 10
Significant (4) 5 6 7 8 9
Moderate (3) 4 5 6 7 8
Minor (2) 3 4 5 6 7
Insignificant (1) 2 3 4 5 6
Rare (1) Remote (2) Possible (3) Likely (4) Very Likely (5)
Probability
Accept
(Score = 2, 3)
Monitor
(Score = 4, 5)
Manage
(Score = 6)
Avoid/Resolve
(Score = 7)
Urgently
Avoid/Resolve
(Score = 8, 9, 10)
Response
Use the tools and language of your risk management peers –
change won’t happen overnight!
66
65. Use the tools and language of your risk management peers –
change won’t happen overnight!
Impact
Categories
Insignificant Minor Moderate Significant Catastrophi
c
Outage of
more than X
customers
10
customers
100
customers
500
customers
1,000
customers
5,000
customers
Financial
impact of more
than $Y
$1,000 $20,000 $80,000 $200,000 $500,000
Business ops
disruption of ≥
Z time
1 hour 4 hours 8 hours 2 days 5 days
Serious injury
to ≥ A people
0 people 0 people 1 person 10 people 50 people
Breach of data
for
≥ B customers
100
customers
1,000
customers
5,000
customers
10,000
customers
100,000
customers
...and so forth
HEAT MAPS
ARE DEAD
long live heat maps
67
66. COMMON LANGUAGE?
what if we don’t have
Even in the case where it’s not clear– don’t reinvent the wheel!
▪ …taxonomy of macro-catastrophe threats that have the potential to cause damage and
disruption to social and economic systems in the modern globalized world.
▪ Contains
• 5 Primary Classes
• 11 Families
• 55 (Genus) Types
▪ Very high level
Example: University of Cambridge’s
Taxonomy of Threats for Complex Risk Management
Research Programme of the
Cambridge Centre for Risk Studies
Cambridge Risk Framework
A TAXONOM Y OF
THREATSFOR
COM PLEX RISK
M ANAGEM ENT
68
74. C2M2 AND
MEASUREMENT
does subjectivity count?
Crawl-walk-run with reds-and-greens
Level Approach Practices from Management Practices from
MIL0
MIL1 1a. There is an inventory of OT and IT assets that are
important to the delivery of the function; management
of the inventory may be ad hoc
1b. There is an inventory of information assets that are
important to the delivery of the function
;
management of the inventory may be ad hoc
Initial practices are performed, but may be ad hoc
MIL2 1c. Inventory attributes include information to support the
cybersecurity strategy
1d. Inventoried assets are prioritized based on their
importance to the delivery of the function
a. Documented practices are followed for ACM activities
b. Stakeholders for ACM activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to
support ACM activities
d. Standards and/or guidelines have been identified to inform ACM
activities
MIL3 1e. There is an inventory for all connected IT and OT assets
related to the delivery of the function
1f. The asset inventory is current (as defined by the
organization)
e. ACM activities are guided by policy (or other directives)
f. ACM policies include compliance requirements for specified standards
or guidelines
g. ACM activities are periodically reviewed for conformance to policy
h. Responsibility & authority for ACM activities are assigned to personnel
i. Personnel performing ACM activities have adequate skills & knowledge
ACM-1 ACM-4
76
75. C2M2 AND
MEASUREMENT
does subjectivity count?
Crawl-walk-run with reds-and-greens
Level Approach Practices from Management Practices from
MIL0
MIL1 1a. There is an inventory of OT and IT assets that are
important to the delivery of the function; management
of the inventory may be ad hoc
1b. There is an inventory of information assets that are
important to the delivery of the function
;
management of the inventory may be ad hoc
Initial practices are performed, but may be ad hoc
MIL2 1c. Inventory attributes include information to support the
cybersecurity strategy
1d. Inventoried assets are prioritized based on their
importance to the delivery of the function
a. Documented practices are followed for ACM activities
b. Stakeholders for ACM activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to
support ACM activities
d. Standards and/or guidelines have been identified to inform ACM
activities
MIL3 1e. There is an inventory for all connected IT and OT assets
related to the delivery of the function
1f. The asset inventory is current (as defined by the
organization)
e. ACM activities are guided by policy (or other directives)
f. ACM policies include compliance requirements for specified standards
or guidelines
g. ACM activities are periodically reviewed for conformance to policy
h. Responsibility & authority for ACM activities are assigned to personnel
i. Personnel performing ACM activities have adequate skills & knowledge
ACM-1 ACM-4
CAN
YOU
RUN?
CAN YOU
KEEP
RUNNING?
Mature capability requires both:
77
76. Enterprise Mission and Insight Board C-Suite CRO CISO
Security & Risk Program C2M2
Loss
ScenarioLoss
ScenarioLoss
Scenario
………C2M2C2M2/ CSF
Technologies
Networks/
Assets
Information aggregation and interpretation challenge Governance challenge
Information aggregation and interpretation challenge Management challenge
Metrics
Metrics
Metrics
Apps/
Systems
…
Controls/
Security Tech
Measurements
ARCHITECTURE
OF TRUTH
when making sense doesn’t make
sense
78
77. BOARD TRUTH
MANAGEMENT TRUTH
GROUND TRUTH
Information aggregation and interpretation challenge Governance challenge
Information aggregation and interpretation challenge Management challenge
ARCHITECTURE
OF TRUTH
when making sense doesn’t make
sense
79
80. DOES TRUTH = TRUTH?
recall the levels of truth
BOARD TRUTH
MANAGEMENT TRUTH
GROUND TRUTH
Information aggregation and interpretation challenge Governance challenge
Information aggregation and interpretation challenge Management challenge
82
88. Emerging Issue in
Established
Market
Market in Flux –
Exclusions Being
Added to
Traditional
Covers
PROPERTY
POLICIES?
CASUALTY
POLICIES?
Tangible
(Physical)
Damages
CYBER INSURANCE
POLICIES
1st Party Damages 3rd Party Damages
Financial
Damages
90
90. 1st Party Damages
(to your organization)
3rd Party Damages
(to others)
Financial
Damages
Tangible
(Physical)
Damages $
$
$
92
91. NEW EQUATION, NEW CURVE
enterprise risk management’s
The existing “cyber risk equation” is not very hopeful:
▪ Where ,
Probability = function(threat, vulnerability)
▪ Are threats decreasing?
▪ Are vulnerabilities decreasing?
Risk
Time
Risk = Impact x Probability
93
92. NEW EQUATION, NEW CURVE
enterprise risk management’s
Revise the equation to take control of your cyber risk
Risk = Impact x Probability
Security Capability
▪ This equation gives us a
reduction in risk as our
capabilities increase
RISK
Sustain Capability
Invest in TransferInvest in Capability
CYBERSECURITY CAPABILITY
1. Early
capability
improvements
have high payoff
in risk reduction
2. Payoff flattens
as capability
increases
3. Insurance
transfers impact and
results in a quantum
risk reduction
4. Insurers want
insureds to be on
the flatter part of
the capability
curve
5. Invest accordingly
94