There is a dangerous theme I’m hearing more and more from a variety of sources that every possible risk must be reduced immediately, right now. And if you are not doing this Mr. Asset Owner you are in security denial and being irresponsible. First this is not possible, and second it is foolhardy. Classic security practices of risk reduction and risk management are needed not a false hope of an unnecessary utopia.
In the electric sector we are hearing arguments from a variety of sources that all cyber elements of distribution systems are just as important to secure as transmission and large generation systems. Or that serial communications are just as important to secure as IP communications. In the first case the consequence or impact is not as great and in the second case threat is not as great, and consequence and threat are elements of the risk equation. This could be an opus blog, but I’ll try to keep it to a reasonable length with a few bullets and possible followup blogs.
Asset owners should be addressing the largest risks first. There should be prioritization. An attempt to address all risks will fail, especially with those just beginning a cyber security program. It is amazing the improvement in the security posture that can occur in the first six to twelve months if risks are addressed with risk reduction as the primary goal. Continue with an aggressive risk reduction approach and in about 3 years, in our experience, you will have an acceptable security posture. There is a limit to the amount of technical and administrative security controls an organization can process effectively in a year.
- Asset owners should not be trying to reduce cyber risk to zero. The goal is to reduce risk to a level acceptable by management, which will consider the business, safety and regulatory factors. Credit card companies do not try to reduce the risk of fraud to zero. Back when I was doing banking security, some would say 3% to 5% is acceptable. Efforts to reduce it further cost more money than it saved in fraud, but this was regularly reviewed. Management may say it is acceptable for a highly sophisticated cyber attack to take out power for 6 hours to 2,500 customers rather than spend some huge amount of resources to prevent this.
- Trying to reduce a cyber risk when the physical risk is greater is a misallocation of security resources. The key here is understanding the risk and having the appropriate level of management approve risk acceptance. Engineers and security professionals sometimes fall into the “it is too expensive or difficult to address” trap when it is not in their purview to accept the risk. Many times an engineer or security professional job is to identify, quantify or categorize risks and identify solutions or compensating controls. Management’s job is to accept the risk or approve allocating the resources to reduce the risk.
- Think of risk management as a big bar chart with the size of the bar representing risk with risk being consequence x threat x vulnerability. You should be trying to push the highest bar down first, followed by the next highest bar, … until they all are at a level designated to be acceptable risk. Simple concept and easy way to approach it with C-level management.