This is fourth in a series of suggested metrics governments could (should?) use to measure OT security posture, incidents, and risk … something desperately needed and consistently avoided.
Metric 1: Impacted People Days
Metric 2: Leading Indicator Metrics
Metric 3: Internet Exposed OT
Metric 4: Outage Pie Charts By Sector
Cyber attacks and incidents are only one of many causes of outages. Weather, parts availability, labor actions, pandemic, … This fourth proposed government metric creates an outage pie chart to show the relative causes of outage by sector.
How big is the cyber slice? Is it growing as a percentage of the outage pie? Is it growing in gross value? This will inform the government how they are doing at addressing cyber risk in the sector and where to best place their resources.
Unfortunately the numbers to create these pie charts are difficult to get in many sectors, and it would seem to be some of the most important risk related numbers a government agency would want. They are worth the effort even if it is an estimation. I can’t imagine not having data on what is causing outages in the critical infrastructure sector that I was responsible for.
The US electric sector tracks outages with a SAIDI statistic. In 2023, the average customer in the US was without electric power for 333 minutes. Zero or near zero of those 333 minutes were due to cyber incidents. Cyber not being even a minor cause of outages is in a recent NERC reliability overview. Cyber would be only be crumbs, not even a tiny slice.
The electric sector had a highly successful 2023 in preventing cyber incidents causing outages, and a successful 2022 and 2021 and … The same can be said of the water sector, despite the hysteria about a handful of attacks on small water utilities. Pipelines were also successful in 2023, and most recent years, with 2021 / Colonial Pipeline being the exception.
The outage pie chart for the hospital sector in 2023 and so far in 2024 would show a sizable and growing cyber incident slice due to ransomware, not insecure by design medical devices. This highlights a secondary purpose of the outage pie chart. If the slice is not small or growing, what type of cyber incidents are causing the outages? Focus your short term efforts at these outage causes.
The cyber slice of the outage pie would also be more than crumbs for the manufacturing sector, food & bev, and possibly transportation.
In the US each critical infrastructure sector specific agency would have their own outage pie for the sector they are responsible for.