Quantifying Risk in OT Cyber Security

Some of you may have heard my collaborative Podcast and discussion with Waterfall’s Andrew Ginter regarding understanding REAL risk when reporting and incident numbers are complicated or lacking.

The “Big one” (like the earthquake that is supposed to eventually hit Vancouver, BC, Canada) is hard to quantify for a variety of reasons such as:

• It hasn’t occurred yet, or on a scale that represents a catastrophic Armageddon level event
• Numbers don’t exist yet on a scale that can be used to substantiate REAL risk or actual probabilities.
• Awareness is still limited in organizations for Operational Technology (OT)/Industrial Control System (ICS) cyber security-related events. It is increasing, but Information Technology (IT) probability is well understood for the most part
• It gets swept under the rug. Incidents occur, but getting things back to regular operation is of more importance – whoops
• And the confusing nature for cyber security realities due to Fear-Uncertainty-Doubt (FUD), media, and marketing…

There is good news in understanding the critical nature of specific assets, and their exposure risk. Previously, I outlined the balance of risk vs. reward in another article, but understanding risks to your organization is tricky because we think of probabilities in this way:

Cost of event * Likelihood of occurrence = Impact/Cost

If we use that formula – we are missing some key information because events are not simply defined by such a naive (and convenient) equation, and neither are actualities nor real-world impacts. Let’s consider the following:

• Direct costs – basically these are the costs that are immediate and are firsthand related to the event are relatively trivial to understand. These are costs of disruption, revenue lost, time/efforts to fix and so on.
• Indirect costs – in continuation to indirect costs, these are secondhand. These can be unintended effects such as contractual obligations that have unforeseen consequences that are in addition to the cost of the event, or the effects on your employees such as emotional burnout from rush-to-resolve periods, and potential unknowns relating to brand damage
• Impacts – the big question: “the bottom-line” is often known within an organization or industry, but what if I told you, it can be a bit of a red herring or at least something to be contemplated. Certainly, it is easier to work backwards from the concept of “I know X will cost Y in terms of impact”, but even a low probability of a high cost event will make the charts in a risk discussion. Careful!

Unfortunately, I don’t have the answer for your organization specifically, or the magic number to the universe (queue hitchhiker’s guide to the galaxy quotes), but what I can tell you is this:

1. Many cyber security-enabled incidents occurred through attack vectors that transgressed using IT technologies and network connectivity; these were not initially targeted for OT (e.g., email or AD GPO), but then became more specialized as they inched closer to sensitive areas in OT environments. The final goal may have been OT, but there were many steps in that journey (see my multiple comments on TRISIS).
2. IT attacks and incidents provide a solid basis for probability (with appreciation of OT environments) are fairly well understood and so are their associated probabilities… This provides a great basis for moving towards an effective risk equation that has some substantive qualities to it… (e.g., vs. the cost of the power grid being disrupted will be massive, and its super probable because it hasn’t happened yet, but it could… give me your money).
3. High-frequency, but low impact events can have a HUGE impact on the bottom-line and financial feasibility of an organization. If I want to attack you, and I know your “burn rate”, and your “budget”… do the math, but I suspect it is going to be easier, more effective, and less devious/nefarious than negatively affecting process control system safety.
4. Successful attacks are made up of several attacks chained together. Think kill-model, but truthfully, I’m not sure all attackers think this way. It’s a series of poor/lacking design decisions that lead from one thing to the next, and arrive at a consequence that has an impact. Again, this is why organization’s need to “get the basics dialed in”… or in other words, stop making access to critical systems easy by merely following cyber-hygiene best practices until a sufficient level of maturity is reached
5. Each of the chained attacks have a probability that can be used to derive an eventual probability of the final big impact event. If you add them up as in my example during my Podcast, you can get to that number, and then even provide mitigation aspects to determine residual risk in some cases! It’s certainly more sound and logical when speaking to decision makers about budget, and necessary efforts to protect against such an event.

Then to summarize, this equation might look like:

(Likelihood of event 1) * (Likelihood of event 2) * (…) == final probability

Which can then be used to supplement cost assumptions etc…

Obviously, cyber security is constantly in flux and numerous models exist, but if you need a “finger to the wind” to help get started – I hope this approach can help break a “big” or hard to solve problem into workable chunks.