Common complaint in OT security: the company won’t spend money on OT security.
This week you begin to experience the joy of getting funding for your OT cyber risk reduction project. Let’s review this month’s activities:
- You’ve identified and understood the safety and protection devices and systems that prevent high consequence events.
- You have identified one or more scenarios where an attacker who has compromised OT could disable the safety and protection, and then use the ICS to cause a high consequence event.
- You have identified the best method (most certain and lowest cost) to prevent a cyber attack from causing a high consequence event even if the OT security fails.
For each high consequence event avoidance solution identified in Weeks 16 & 17 you need to:
- Clearly state the high consequence event and the impact. Use the work from Week 13 and identify the financial cost, customer impact, safety impact, … whatever makes it a high consequence event in your company’s risk management program.
- Calculate the cost of the avoidance solution from Weeks 16 & 17.
- Work these into a simple paragraph and presentation.
Here is a simplified example format that you can customize and improve.
If a skilled attacker is able to compromise our OT, which we are working hard to prevent, they would be disable the [xx] safety system and cause [yy] to explode. This could result in a loss of life, would cost us [$aa] to rebuild, and result in an outage of [bb] days. This outage will cost us [$cc] and impact [dd] customers.
Based on our risk matrix, this is a catastrophic financial consequence event, a high consequence customer impact event, and possibly a catastrophic consequence safety event.
If we spend [$ee] on [the solution], we can prevent a cyber attacker from having this capability and causing this high consequence event. Prevent it even if the attacker has complete control of our OT system.
Gather the information below this week and schedule a meeting to present this information up your reporting chain with the goal of getting in front of executives and getting funding for your solutions.
High Consequence Event:
Impact:
Solution:
Cost Of Solution To Avoid High Consequence Event:
High Consequence Event:
Impact:
Solution:
Cost Of Solution To Avoid High Consequence Event:
High Consequence Event:
Impact:
Solution:
Cost Of Solution To Avoid High Consequence Event:
Subscribe to Dale’s ICS Security: Friday News & Notes email