Can we use risk analysis to determine the economics of cybersecurity? #cybersecurity #pauto #safety
In our April edition, we'll be talking about the recent report by Ralph Langner and Perry Pederson published by the Brookings Institution about risk management as a cyber defense tool. We will be publishing the entire report as a web exclusive in Control and we've asked a group of distinguished automation professionals to comment on it in a special section on www.controlglobal.com/cybersecurity-fail. Be on the look out for it in April.
But I had some thoughts on the subject as well.
In the October cover story last year (http://www.controlglobal.com/articles/2012/boyes-process-automation-systems-security.html) Eric Byres of the Tofino Security division of Belden Inc. quoted an oil company executive as having told him, "If we spend $50 million for fire suppression on our offshore platforms, and we spend $50,000 for cybersecurity on those same platforms, and both types of incidents have the same consequences, then we have a problem. Either we are spending too much on fire suppression or too little for cybersecurity."
This illustrates the problem. We have been making oil and petroleum products and chemicals, food and beverages, paint and all the other products from the process industries for about 150 years now. We have really good data on the hazards of the various processes we employ. We have good data on the number of people killed and injured every year in the process industries. We have good data on the number of lost time accidents, and we have the scoop on plant downtime caused by accidents every year.
This means that we should have a clear idea of the risks in the process industries. And I submit that we do.
Unfortunately, the same is not necessarily true of security in the process industries. We know what could happen, but because so few incidents have happened, or been made public, we don't know to any significant precision, what actually has happened that was caused by a cyber incident.
We have to remember, too, that unlike nearly all of the data for safety risk in the process industries, security has a large component of intentional action. That is, we have to worry about cyber accidents, but also malicious activity on the part of hackers from wherever they hail, in addition to simple accidents on the plant floor.
In the safety area in the process industries, we start by doing a study that details what the hazards are, and what the risks of those hazards could be. We use the study to determine among other things the area classifications in various parts of the plant, and the safety levels (SIL) required of the controls, instruments, devices and systems in the plant.
When we started to design a companion process (ISA99) for determining security levels in the plant, we tried to use an equivalent study. We figured that if we knew what the hazards were in the plant, and what the risks of those hazards would be, we could define a risk assessment that would work for cyber security as well.
I don't think that works. Data exists for what actually happens when a cat cracker blows up, for example, and calculations exist for determining what the potential for that accident would be, based on maintenance and operations procedures and records. We can assume that the cost of the blowing up of the cat cracker would be the same if it happened intentionally through cyber means, but we only have that side of the equation. We do not know what the actual risk of that incident happening is. Remember, to the best of our knowledge it never has happened.
We know what such an incident would cost. We actually have data on the attack on the Natanz Uranium Enrichment Facility using the Stuxnet worm. We know it delayed the uranium enrichment program by as much as several years, and it forced Iran to scrap the entire set of infected centrifuges and replace them, at a cost of multiple millions of dollars.
What we can't do is a risk analysis of a deliberate cyber attack. If somebody is attacking you, the risk is 100%. If they are not, the risk is zero.
And how do you decide whether there is a risk of attacking you in one area and not in another? You can't. The only thing you can do is to improve security across the board in the hope that you can deter an attacker.
But, as our oil company executive pointed out, how do you know whether you're spending enough or too much? You can't do it with standard risk-based analysis.