Embed Size (px)
Citation preview
When is Enough Enough?Making risk-based decisions about cybersecurity investments
09.24.2015AGA Finance Committee MeetingNew York, NY
David W. WhiteChief Knowledge Officer, Axio [email protected]
Jim F. LinnManaging Director, IT, AGA202.824.7272 [email protected]
2
Outline
When is Enough Enough?
What is cyber risk? Examples of energy sector cyber attacks
How to understand & manage the risk
Definitions to frame the discussion
Should energy companies be concerned?
Key categories of cyber risk to energy firms
Information theft
Property damage
Environmental damage
Computer systems damage
Quantifying potential cyber impacts unique to my organization
Risk transfer challenges & optimization
Implementing effective controls to minimize the risk
Objective is to make sense of a challenging problem space and leave you with a framework for action
What is Cyber Risk?
3
CyberOf or relating to computers, information technology, electronic communications (especially the internet), or virtual reality
RiskExposure to danger, harm, or loss
Cyber RiskExposure to danger, harm, or loss related to the use of or dependence on computers, electronic data, or electronic communications (including the internet)
Typically involves unauthorized access and unauthorized use or computer technology
Should Energy Companies be Concerned about Cyber Risk?
4
The energy sector has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide. — Symantec, 2014
Energy sector tops list of US industries under cyber attack— DHS, 2015
Incident reports to ICS-CERT in FY2014
Energy-specific threats are on the rise; examples: Havex, Black Energy, Dragonfly. FireEye identified 50 strains of malware in 2013 that targeted the energy sector.
Cyber Risk in the Energy Sector
Theft or loss of data• Personal data, business data, any data with black-market value is at risk• Motive: financial or competitive gain
Data destruction• Wiping or scrambling electronic data• Motive: ideological, extortion, terrorism, or war
Communication disruptions• Website or network disruption; website defacement; social media takeover• Motive: ideological, extortion, terrorism, or war
Operational or physical disruption or destruction• Industrial control system takeover halting operations, breaking machinery,
releasing pollutants, or destroying machinery and facilities• Motive: ideological, extortion, terrorism, or war
5
EXAMPLES OF CYBER ATTACKS RELEVANT TO ENERGY FIRMS
6
Data Breach — Target, by the numbers
• 40 million credit cards + 70 million customer records stolen
• $54 million: income to cyber criminals
• $400 million: cost of replacing credit cards
• $150 million: Target initial response cost
• $1 billion: estimated ultimate cost to Target
• 140: number of active lawsuits against Target
• 2: Number of C-suite executives at Target who were fired
• 7: Number of Directors targeted by Institutional Shareholder Services for ouster, claiming failed duties to shareholders
• Important to watch because of unprecedented impact of Board and C-Suite and record-breaking damages. All data with black-market value is at risk.
7
Not an energy company, but good example of far-reaching breach impact
Destructive Attack — Steel Mill
• 2014: Germany
• Cyber attack on steel mill (via spear phishing)– Disrupted industrial control system for
blast furnace
– Furnace could not be shut down
– Resulted in “massive” unspecified damage
• Revealed by German Federal Office for Information Security (BSI) in December 2014. Few details are known about the event; Germans remain quiet.
8
Source – bbc.co.uk - © 2014 BBCImage from BBC: http://www.bbc.co.uk/schools/gcsebitesize/science/aqa_pre_2011/rocks/metalsrev2.shtml
Destructive Attack — BTC Pipeline
• 2008: Turkey deemed cyber attack in 2014
• Cyber attack through wireless network for surveillance cameras– Shut down alarms, – Severed communications, and – Super-pressurized oil in pipeline
• Impact– Spilled 30,000 barrels of crude– 3-week pipeline disruption– Azerbaijan lost $1B in revenue– BP lost $10 million in tariffs– Replaces Stuxnet as first cyber attack
resulting in major physical damage
9
Source – Bloomberg.com , 12/10/2014 © 2015 Bloomberg
Image from Bloomberg: http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar
Destructive Attack — Stuxnet
• 2009: Iran’s Natanz uranium enrichment facility
• Extensive physical damage: 1000 industrial centrifuges were damaged or destroyed by overtaking the industrial control system and changing motor speeds while sending fake signals to control room to indicate normal conditions
• Control system was “air-gapped.” Malware was hidden in USB drive
• Until recently, considered to be the first cyber attack resulting in major physical damage
10
The Telegraph, 30 Nov 2010
http://securityaffairs.co/wordpress/4544/hacking/stuxnet-duqu-update-on-cyber-weapons-usage.html
Data Destruction Attack —Saudi Aramco, RasGas, Sony
• Saudi Aramco attack:August 15, 2012 — Islamic holy day– Insider deployed Shamoon wiper malware at
Saudi Aramco
– Destroyed data on 30,000 computers, rendering them inoperable
– 10-day recovery; oil production not impacted
• Similar attack on RasGas, Qatari natural gas company, 2 weeks later
• November 2014, derivative malware was used to attack Sony Pictures
11
BIOS Malware — the next destructive attack?
• BIOS is computer firmware (a chip that contains core software required to operate; called UEFI on modern Windows computers)
• BIOS-level malware would be difficult (or impossible) to remediate
• Widespread infection could require the replacement of computer hardware to satisfactorily (or efficiently) remediate
• Not exclusive to energy firms
12
UNDERSTANDING AND MANAGING ENERGY CYBER RISK
A Framework for Action
13
Cyber Risk Reduction Curve
• Initial investments should be in cyber capability development—controls to protect and sustain.
• As risk curve flattens, cyber insurance becomes an efficient means to further reduce risk.
• Harmonizing the investment in technological and financial controls requires better exposure and loss metrics.
14
INVEST IN CYBER CAPABILITIES
SUSTAIN CAPABILITY & INVEST IN INSURANCE
Insurance lowers the risk impact curve overall
Develop & Quantify Cyber Loss Scenarios
Identify several high-impact, notional, feasible cyber loss scenarios specific to your organization/operations
Estimate impact for selected scenarios using a structured impact taxonomy– Four quadrant model
– All impacts from any cyber event can be categorized into these quadrants
15
Develop and Quantify Cyber Loss Scenarios1
1st Party Damages
(to your organization)
FinancialDamages
Tangible (Physical) Damages
3rd Party Damages(to others)
Axio Risk Action Framework
• Attacker penetrates numerous data stores
• Customer & employee bank account info (ACH), credit cards, &other identity information is stolen (SSNs, address)
• Proprietary exploration & financial data is also suspected to be stolen
16
Four fairly-generic starter scenarios
• A Shamoon-style attack deletes hard drive contents on every desktop and laptop computer in the enterprise overnight
• Business operations are severely impacted for 2 (or more) weeks while machines are either replaced/restored
Scenarios Sampler
• Attacker compromises network communications used to control field assets
• Production operations are impacted due to inability to control remote assets
• Stuxnet-like malware infects industrial control systems
• Attacker overtakes control of key valves and pressurization equipment leading to disruption in operation and major spill of petroleum products
Data Theft Data Destruction
Network Disruption ICS Attack
17
• Response costs: forensics, notifications, credit monitoring
• Legal expenses: advice and defense
• Revenue losses from network or computer outages, including cloud
• Cost of restoring lost data
• Cyber extortion expenses
• Value of stolen intellectual property
Fina
ncia
lDam
ages
1st Party Damages (to your organization)
Typical scenarios:
Data theft
Data Destruction
Network Disruption
ICS Attack
All scenarios are likely to result in extra expenses for response services and advisory services; amounts may vary widely
18
Fina
ncia
l Dam
ages
3rd Party Entities may seek to recover:
• Consequential revenue losses
• Restoration expenses
• Legal expenses
• Credit monitoring costs
3rd Party Entities may issue or be awarded civil fines and penalties
3rd Party Damages (to others)
Typical scenarios:
Data theft
Data Destruction (if 3rd-party data)
Increasingly, cyber incidents are resulting in 3rd-party claims, including shareholder and customer suits and regulatory fines
19
• Mechanical breakdown of your equipment
• Destruction or damage to your facilities or other property
• Environmental cleanup of your property
• Lost revenues from physical damage to your (or dependent) equipment or facilities (business interruption)
• Bodily injury to your employeesTang
ible
(Phy
sica
l) D
amag
es
1st Party Damages (to your organization)
Typical scenarios:
Network Disruption
ICS Attack
Attacks on industrial control systems are likely to cause physical damage. Important to consider passive safety controls when analyzing these potential impacts.
20
• Mechanical breakdown of others’ equipment
• Destruction or damage to others’ facilities or other property
• Environmental cleanup of others’ property
• Bodily injury to others
Tang
ible
(Phy
sica
l) D
amag
es
3rd Party Damages (to others)
Typical scenarios:
ICS Attack
Attacks on industrial control systems are likely to cause physical damage. Important to consider how attack and damage might impact 3rd parties.
Review & Stress Test Insurance Portfolio
21
UncertaintyPolicy
Language Review
CyberInclusion
CyberExclusion
Affirmative (favorable)
None
None
Partial
Strong/clear (i.e., CL-380)
Review all insurance policies to understand cyber coverage or exclusion
Stress test insurance portfolio with specific loss scenarios from Step 1
Review & Stress Test Insurance Portfolio
Develop and Quantify Cyber Loss Scenarios
2
1
Axio Risk Action Framework
Stress Testing Sample Output
22
Impact $55,000,000
Insurance $20,000,000
Balance Sheet Impact $35,000,000
1st Party
Fina
ncia
lTa
ngib
le
3rd Party
Axio Risk Action Framework
Stress Testing Sample Output
23
Impact $55,000,000
Insurance $20,000,000
Balance Sheet Impact $35,000,000
Impact $250,000,000
Insurance --
Balance Sheet Impact $250,000,000
1st Party
Fina
ncia
lTa
ngib
le
3rd Party
Axio Risk Action Framework
Stress Testing Sample Output
24
Impact $55,000,000 Impact $20,000,000
Insurance $20,000,000 Insurance --
Balance Sheet Impact $35,000,000
Balance Sheet Impact $20,000,000
Impact $250,000,000 Impact $50,000,000
Insurance -- Insurance $50,000,000
Balance Sheet Impact $250,000,000
Balance Sheet Impact --
Total Impact: $375,000,000
Total Insurance Response: $70,000,000
Total Balance Sheet Impact: $305,000,000
1st Party
Fina
ncia
lTa
ngib
le
3rd Party
Axio Risk Action Framework
25
1st Party Damages(to your organization)
FinancialDamages
Tangible (Physical) Damages
Cyber Loss Spectrum: Insurance Coverage
3rd Party Damages(to others)
Intellectual Property Value
Several New Cyber Gap Products
Traditional Cyber Insurance
(mind the triggers)
Over Property Over Casualty
Evaluate Cyber Security Program
26
Use a framework or model to evaluate cyber security program
Consider multiple evaluations in large organizations for internal benchmarking
Use results to identify and prioritize improvements
Review & Stress Test Insurance Portfolio
Develop and Quantify Cyber Loss Scenarios
Cyber Program Evaluation using C2M2
(or other framework)
2
1
3
Axio Risk Action Framework
Using C2M2 Results
Develop Target
• Develop C2M2 target profile by analyzing risk reduction and implementation cost of each practice gap in the model
• MIL3 (all green) is not the appropriate objective for all companies
Perform Self Evaluation
• Plan, facilitate, score, and interpret C2M2 self evaluation
Benchmark: Internal or External
27
Make Improvements to Reduce Risk
28
Review & Stress Test Insurance Portfolio
Develop and Quantify Cyber Loss Scenarios
Cyber Program Evaluation using C2M2
(or other framework)
2
1
3
Optimize Insurance Portfolio as a Cyber Risk Control
Implement or Improve Impact Minimization Controls
Improve Cybersecurity Controls (technical, physical, and
administrative)
4 REDUCE RISK
Axio Risk Action Framework
2
2
INVEST IN CYBER CAPABILITIES
SUSTAIN CAPABILITY & INVEST IN INSURANCE
Insurance lowers the risk impact curve overall
Cyber Risk Reduction Curve — Results
29
• Following the process will result in different risk approaches for different scenarios
• For some, technology controls will present the greatest risk reduction.
• For others, insurance will present the greatest risk reduction.
• Investing in insurance reduces the impact for all.
1
12
2
Contact us
30
DAVID W. WHITEFounder & Chief Knowledge Officer
New York, NY
JIM F. LINNManaging Director, Information Technology
Washington, DC
Thank you
