2018 ICS Cyber Security Conference

ICS cyber risk needs to be normalized with mechanical operational risk for it to be better communicated, understood and managed.

When ICS cyber risk is accurately modeled, measured, quantified and normalized with mechanical/industrial operational risk, it is then demystified.

Plant operations management needs to make effective comparisons between ICS cyber risk and the fifty other risk issues they have on their plate, ones with a historical impact on operations, to make well informed risk management decisions. Metrics and financial analysis rule the day, management needs more than cyber risk heat maps and gap analysis against control frameworks to know how much $$ they should care. ICS cyber risk needs to be normalized with operational risk for it to be better communicated, understood and managed.

To make effective comparisons between cyber risk and operational risk, it is necessary to normalize the analysis results through the use of a common model that generates quantitative financial metrics. Once quantified in a common metric, cyber risk can be de-mystified and evaluated against other high-priority operational risk issues. The result of applying limited budget in appropriate amounts to properly prioritized risk issues results in optimal risk management and therefore more reliable and safe operations.

This presentation will demonstrate by case study the evaluation of both cyber risk and operational risk scenarios for a power plant and how risk mitigation options were evaluated and chosen based on their risk-reduction and cost-benefit merits.

The risk model and analysis methodology used to achieve this normalization is published by The Open Group in 2008 as The Open Group Risk Taxonomy (O-RA, Standard C13K) and the Standard for Risk Analysis.

Using these resources, the audience will learn how to answer the most challenging cyber risk management questions facing the plant operations today: How much cyber risk is there? How much less cyber risk will there be if certain measures are taken? What is the cost-benefit impact and how does this compare to my other risk issues I have to manage?