We added some brief, 15-minute sessions to S4x13, and Chris Sistrunk of Entergy briefly describes how they calculated the risk of each RTU in their system.
They calculate the probability of compromise/failure based on the vendor/model, considering items like the age and vendor rather than vulnerabilities. This is not a trivial measure as a number of RTU vendors are out of the business, e.g. Chrysler. Perhaps this will change when secure PLC’s are available. Another probability of compromise factor is the communication type.
Chris then goes over how they quantify the impact of compromise. The more load the higher the score, the more transmission lines the higher the score. Tap stations get a high score.
Owner/operators should watch this and see how even a basic analysis can help make decisions on where to spend money and effort to reduce risk.