Justifying Utility Security Investments
-
Upload
black-veatch -
Category
Services
-
view
98 -
download
4
Transcript of Justifying Utility Security Investments
11 January 2017
Today’s Speakers
David Mayers, Managing DirectorSecurity, Risk & Resilience
David Price, Associate Vice PresidentAsset Management
311 January 2017
90%
90%
94%
Aging Infrastructure
Cybersecurity
Reliability
Top 3 Industry Issues
Security is a top industry issue …
… but not a top investment priority
40%
41%
63%
Transmission Improvements(including substations)
Workforce Training &Development
Existing Asset Maintenance
Top 3 Capital Priorities
SOURCE: Black & Veatch 2016 Strategic Directions: Electric Industry Report
411 January 2017
Why is it so hard to justify security investments?
Security investments don’t provide hard ROI like other programs. To show value, security investments must demonstrate risk reduction. How do you demonstrate risk reduction?
Targeted investments …
… decrease risk
511 January 2017
Solution: Develop and Implement a Security Risk Framework
Today’s discussion centers on steps 2 – 4 of the framework and how this process supported investment in critical physical and cyber security needs of a large, Northeastern utility.
611 January 2017
Identify Assets, Systems, Networks and Functions
Divide your assets into classes or tiers based on criticality and identify the security needs of each.
Tier 1: High-Risk, Compliance-Related Assets
Tier 2: Moderate to High-Risk Assets
Tier 3: Moderate to Low-Risk Assets
Subsequent Tiers Based on
Criticality and Type
711 January 2017
Assess Risks for Each Asset Class
Consider vulnerabilities, threats and the consequences of a breach or asset failure. Utilities must also assess internal vulnerabilities and controls used to mitigate threats. Asset
Asset
Asset System
Asset Portfolio
811 January 2017
Assessing the Likelihood of Failure
Determining the likelihood of a threat occurring and/or a vulnerability being exploited.
Adversarial or Intentional EventsAccidents and
Technological FailuresNatural Events
911 January 2017
Consequence of Failure
Safety
System Reliability
Financial
Reputational
Environmental
Customer Perception
Scoring Scales Accurately Assess
Criticality
Defining the Consequence of Failure
The are many types of consequences. Some are quantifiable, like financial, safety and reliability. Others are more qualitative, such as reputation and customer perception.
1011 January 2017
Quantify Risk
Risk modeling enables utilities to quantify risk of their existing assets and develop optimized plans that balance risk and costs based on the likelihood and consequence of failure.
1111 January 2017
Risk Trajectory Illustrative Example
IR
RR
B
TR
Inherent Risk Level
Monitor effectiveness of current mitigation plan
Residual Risk LevelDevelop action plan and monitor progress
Target Risk Level
A
1211 January 2017
Identify and Prioritize
Capture the cost and benefit (risk reduction) of identified improvement opportunities.
1311 January 2017
Demonstrate Value
34,000
36,000
38,000
40,000
42,000
44,000
46,000
48,000
50,000
52,000
54,000
56,000
$0
$20
$40
$60
$80
$100
$120
$140
$160
$180
2013 2014 2015 2016 2017 2018 2019 2020
Direct Budget Allocation Emergent Work Allocation
Run to Failure Risk Profile Proposed Budget Risk Profile
54,393
37,139
42,153
An
nu
al C
apit
al S
pen
d (
No
min
al $
M)
Portfo
lio To
tal Risk Sco
re
32% Reduction in Total Risk Score
1411 January 2017
• Understand Your System
• Identify critical assets
• Know interdependencies
• Identify Vulnerabilities
• Quantify Risk
• Likelihood of failure
• Consequence of failure
• Identify Improvements
• Quantify Benefits
• Total risk reduction
• High-risk asset mitigation
• Demonstrate Value
• Seek to integrate security into your asset management programs
Summary
1511 January 2017
David Mayers
+1 704-510-8417
David Price
+1 936-666-8003
Contact Information :
Additional Tools and Resources:
Online Security Self-Assessment: https://pages.bv.com/securityassessment.html
Subscribe to Security Insights newsletter: https://pages.bv.com/Security_Insights-Opt-In.html