This week’s task requires a discussion with the Finance department. Cybersecurity people in OT and IT often overestimate the financial impact of an outage. In one way, this is a good thing. It means the individual and team will work hard to avoid an outage because they believe the consequences are dire. Where this overestimation is bad is it can lead to a misallocation of security resources.
Three quick examples:
- A power plant in the Eastern US believes that an outage of over two hours would be a high consequence event. The reality – – an outage of two months would still be a low consequence event. Something that is acceptable to happen once per year. The utility can buy power at a slightly higher cost than they produce power. A high consequence event is if an attacker can cause physical damage to an expensive, long lead time physical component. The better use of resources would be to install unhackable protection measures for this equipment.
- An OT team at a manufacturing plant believes an outage of over two days would be a high consequence event. The reality – – the company has over 50 plants and outsourced partner plants. It can shift the lost manufacturing capacity to another plant that makes a long term outage a low consequence event. What could make a cyber/physical event at a single plant a high consequence event is something that affected product integrity; something that allowed substandard or even dangerous products to reach the customer.
- Clorox lost approximately 25% of their manufacturing capability in Q3 of 2023 due to a ransomware incident. The obvious financial loss was the products that could not be manufactured and sold. The less obvious financial loss was Clorox lost shelf space in stores. It took many months after manufacturing resumed to get this shelf space back.
Start with a simple question for the Finance department. What would the financial impact be if xx facility or yy product or service could not be produced for a day? a week? a month? The Finance department may have a number. Or they might be able to outline the factors that would determine the impact, such as time of year or weather. Always take the worst case scenario, such as a toy factory in the months prior to Christmas or power needs in the heat of summer or cold of winter.
Ask the Finance department the same question for different scenarios. This will provide information for your OT security program and importantly help you understand your organization’s business.
A quantitative answer to this task is preferred. A qualitative answer is acceptable. You will get more information on this answer in other weekly tasks.
Again, your task this week is to understand the financial impact to your company of an outage to the ability to produce the product or service at a facility or system. Try to get an answer for a daily, weekly and monthly outage, whether that answer is quantitative or qualitative.
If you have a large number of sites, try to get the financial impact numbers for a number of scenarios, such as one plant outage, key plant outage, and all plant outages.
If you can’t talk with Finance, and your company is a public company, look for information in the financial reporting to help you understand at a qualitative level the financial impact of an outage. You may be able to find this information if your company had suffered an outage due to a weather incident, pandemic, labor issue, or other cause.
_________
What is the financial impact of an OT outage in various scenarios?
Scenario:
1 Day Outage Cost:
1 Week Outage Cost:
1 Month Outage Cost:
Scenario:
1 Day Outage Cost:
1 Week Outage Cost:
1 Month Outage Cost:
Scenario:
1 Day Outage Cost:
1 Week Outage Cost:
1 Month Outage Cost: