a practical guide to getting your hands around cyber risk · ancock_cyber_risk 1 aegis 2014...

7/30/2014

Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 1

AEGIS 2014POLICYHOLDERS’ CONFERENCE

B R E A K O U T S E S S I O N

A Practical Guide to Getting Your Hands Around Cyber Risk


C Y B E R S E C U R I T Y R I S K A S S E S S M E N T

Tom McDonnellManager, Insurance & Operational Risk Management

FirstEnergy Corp.

7/30/2014



Scope

• Risk Assessment

A combination of the Department of Energy’s Cyber AssessmentProcess, Factor Analysis of Information Risk (FAIR), a Threat-Vulnerability-Consequence Matrix, and FirstEnergy’s risk assessment process

• Purpose

To identify FirstEnergy’s Cyber Security risks, threats, and vulnerabilities

To quantify the risk exposures in financial terms, document current mitigation strategies, determine reporting frequency, and decide on risk mitigation / transfer strategies

• Players

(1) Cyber Security / IT Compliance, (2) Corporate Risk, (3) Subject Matter Experts (“SMEs”) in various organizations [IT, Fossil, FENOC, Energy Delivery, Smart Meter]


Structure

Environment Definition

1. InformationTechnology

Corporate network, email, SAP, Energy Management System / Generation Management System (EMS/GMS)

2. Fossil OperationsFossil plants and related equipment / cyber systems

3. Energy DeliverySubstations, transmission lines and related cyber systems

4. FENOCNuclear plants and related equipment / cyber systems

5. Smart MeterSmart Meters, wireless communications, other smart electricity distribution related cyber systems

The Cyber Security Risk Assessment is broken into the following environments

7/30/2014



Structure (cont.)

Risk Category Definition

1. PeopleThe risk that people (employees, third party personnel, the public) could have an adverse impact to our cyber systems

2. ProcessesThe risk that processes and procedures (missing, deficient or poorly implemented procedures) could have an adverse impact to our cyber systems

3. TechnologyThe risk that IT systems (component failure through design, implementation, and / or maintenance) could have on our cyber security systems

4. External FactorsThe risks that outside factors (natural disasters, nation state attack, etc.) could have an adverse impact on our cyber systems

Risk categories within each environment


Quantification Methodology

• Conducted meetings with SMEs to identify and quantify Cyber Security Risks in each category:

Identified (1) threats, (2) vulnerabilities, (3) affected assets, (4) range of consequences, and (5) current mitigation strategies

Quantified the minimum / most likely / maximum impacts based on:

• Primary costs (i.e. production costs, response cost, replacement cost)

• Secondary costs (i.e. regulatory fines, legal costs, competitive advantage)

Estimated the frequency / likelihood of an incident(“incidents per year”)

• Developed a Loss Distribution for all Cyber risks using the product of a Poisson Distribution (Frequency) and a Pert Distribution (Impact)

This allowed the team to represent the risks in financial termsby showing it as a Value at Risk (VaR) calculation

7/30/2014



Threats – Vulnerability – Consequence Matrix


Threats(Attackers)

Vulnerabilities Consequences

Threats – Vulnerability – Consequence MatrixScenario: Nation State attacks FE with determination, resources, and expertise with the goal of causing a significant BES outage

Nation StatePerforming a complex and

multifaceted attack

Employees with privileged access to network,

systems, etc.

Virus / malware infection

Zero-day software vulnerability

User clicking on phishing or spear phishing link or

opening a malicious attachment

Wide-spread BES outage

7/30/2014



Threats(Attackers)

Threats – Vulnerability – Consequence MatrixScenario: Cyber criminal and current disgruntled employee attack FE cyber infrastructure to gain customer information such as SSNs, bank account information, with a goal of profiting from identity theft

Data breach:all or most FE customer records compromised

(more than 100,000 records)

Weak/inadequate encryption of stored information (data at rest)

Employees with general access to network, systems, etc.

Misconfiguration of cyber assets to allow easier compromise

Insecure encryption key management system and/or

network protocols used

USB jump drive accessibility and use

Current / former disgruntled employees:

intentional compromise of cyber assets

Cyber criminals:skilled Cyber criminals targeting

FE for monetary gain

Vulnerabilities Consequences


Results – Top Maximum Foreseeable Losses

• The 99% Confidence Level (CL) represents a worst case scenario with a very low likelihood of occurrence

• Although not represented here, Smart Meter is considered an emerging risk due to uncertainty and newness of the technology

CODE Threat Vulnerability ConsequencePotential

Frequency *99% CL

Impact ($M)

IT02 Cyber CriminalsInadequate procedures /

compromised cyber systemsNetwork Data Breach 0.49 $144.8

FO01Cyber Criminals / Spear

Phishing / Malicious InsidersPrograms / Procedures

are inadequate or not followedFossil Outage 1.00 $129.0

FO04Cyber Criminals / Spear

Phishing / Malicious InsidersMisconfiguration Fossil Outage 1.00 $129.0

FN07Cyber Criminals / Spear

Phishing / Malicious InsidersCyber systems

inadequate or brokenNuclear Outage 0.33 $102.9


Phishing / Malicious InsidersInsufficiency system

documentationNuclear Outage 0.33 $102.9


Phishing / Malicious InsidersReliance on 3rd Party

SupportNuclear Outage 0.33 $102.9

ED02 Nation State AttackCompromised Cyber

Control SystemsWide-spread BES Outage 0.50 $ 64.0


Phishing / Malicious InsidersControl System Failure Nuclear Outage 0.50 $ 48.8


Phishing / Malicious InsidersPrograms / Procedures

are inadequate or not followedNuclear Outage 0.49 $ 48.8

EDO1 Cyber CriminalsCompromised Cyber

Control SystemsRegional / Local BES

Outage1.00 $ 47.7

ED08Cyber Criminals / Spear

Phishing / Malicious InsidersReliance on 3rd Party Support

Regional / Local BESOutage

1.00 $ 47.7

(99th Percentile)

* Potential Frequency – # of events per 5 years

7/30/2014



P R E V E N T I N G T H E I N E V I T A B L E

Gail L. ChamblissDirector, Financial Risk Management

PNM Resources, Inc.


Why should we care?

“After years of warning the U.S. electric grid & critical infrastructureare dangerously vulnerable, experts fear it may take a major destructive attack to jolt CEOs out of complacency…”

Reuters, May 16, 2014

“Eastern European attackers, Energetic Bear, gain accessto energy providers by tampering with industrial control systems software updates…”

IDG News, June 30, 2014

7/30/2014



Legal Risk

ITOps

What are the potential exposures?

Third-Party Exposures

• Release of confidential or protected data

• Failure to supply

• Third-party property damage

• Third-party bodily injury

• Loss of customers

First-Party Exposures

• Physical property damage

• Non-physical damage (data, software)

• Loss of revenue

• Extra expenses

• Reputational damage


How do we govern?

Board of Directors

Audit & Ethics Committee

Senior Management

Supply Chain

Internal Audit

ITArchitecture

Power Operations

Enterprise Risk Management

Cyber SecurityGovernance Committee

NERCCompliance

T&D

Strategy & ERM

Generation

LegalCIOSecurity &

ComplianceRiskMgt.

Energy Technology & Strategy

7/30/2014



Policiesand

Procedures

Operations

Supplier Management

How do we tackle?

• Linkage to ERM Risk Map

• Cyber Security Governance Committee

• Policies and Procedures

Information Security

Cloud Computing

Data and Record Management

• Supplier Management

Risk Assessment

Insurance Risk Matrices

• Awareness

Employees, partners, regulators, etc.

Bring your own device

• Operations

Developing technology

Coordination of physical and cyber security


Third-Party Assessments

& Testing Contractual Risk Transfer

Collaboration Workshops

(external groups)

Evaluating DisclosuresEmployee

Awareness Education

FERC, NERC, CIP, SOX

Compliance

Developing Core Asset Technology

Cyber Liability Insurance

Managing a Dynamic Cyber

Risk Environment

What do we do day to day?

7/30/2014



Scenario PlanningScenario Planning

Where do we go next?

Continuous Risk AssessmentContinuous Risk Assessment

ConsistencyConsistency

Team Service Coverage

Identify PartnersIdentify Partners

Business Exposures Innovation

Insurers Forensics

Knowledge

PublicRelations

SupportSupport

Board of Directors

Cross Functional

Adaptability & FlexibilityAdaptability & Flexibility

Table Top Exercise Debrief

Engage Stakeholders

Lead Risk Dialogue

Ask the Tough Questions

PNMR Cyber Partners

Continuous

Operations

Claims Guide Broker

Risk Appetite


Closing ‒ Questions?

18

Good Luck!

7/30/2014



A P R A C T I C A L G U I D E T O G E T T I N G Y O U R H A N D S A R O U N D C Y B E R R I S K

Rick WelshHead of Cyber Insurance

AEGIS London

Joe HancockCyber Security Specialist

AEGIS London


Overview

• The need for Cyber Insurance

• AEGIS Cyber Coverage and Services Overview

• AEGIS Cyber Coverage Customer Lifecycle

• AEGIS Cyber Roadmap

• AEGIS Cyber Engagement

7/30/2014



The Need for Cyber Insurance

• Cyber security is a problem for Energy in a way that information security wasn’t

• Energy companies are a clearly a target for advanced attacks moving beyond those from criminals

• Targeting Operational Technology (OT) with real-world impacts


The Operational Technology Problem

Increasing ExposureThe need to maintain operational availability makes updating and patching OT a significant challenge, with technology becoming increasingly more exposed.

IT / OT ConvergenceThe lines between corporate IT and operational environments are becoming increasingly blurred as organisations seek to realise efficiencies.

Improving Adversaries

Attackers are increasingly focusing on OT, we’ve seen an increasein capability emanating from foreign countries, including less well-known nations. Capability resides mostly in nation states. Expertise less widespread than IT.

Safety Critical RisksSafety critical systems are a particular risk – the impacts on safety cases are not fully explored. Safety impacts on security are also not well understood in the security community.

7/30/2014



Existing Cyber Insurance Products

It’s unclear in the marketplace which policies cover losses resulting from a cyberattack; our CyberResilience DIC solution fills this void

CyberReslience DIC Coverage

CyberResilience Coverage

TerrorismCoverage

PropertyCoverage

Excess Liability Coverage

Casualty Coverage

Existing AEGIS Coverage


Our Cyber Coverage

• Risks covered

Property Damage

Bodily Injury

Business Interruption

Data Breach

Cyber Extortion

Data Recovery

Network Security

Media Liability

Forensics – IT and OT

7/30/2014



Supporting Cyber Risk Management

• Our cyber solution extends much further than just traditional risk transfer

• Our goal is to support the membership and policyholders in long-term cyber risk management

AEGIS Cyber

Coverage

Threat Intelligence

Risk Assessments

Security Benchmarks

Incident Response

Bodily Injury

Property Damage

Data Loss

BusinessInterruption

DataRecovery

CyberExtortion


Key Supporting Services

We believe that both effective risk management and cyber security controls, when properly implemented, are crucial to managing cyber risk alongside our coverage.

Critical Success Factor AEGIS Services

Proportionate Risk ManagementRisk assessment

Security benchmarking

Accurate Risk Management Threat intelligence

Increased ResilienceIncident response

Security advisory

7/30/2014



Key Service Concepts

Appropriate and proportionate risk management requires robust risk assessment. Our business risk focused assessment helps identify how cyber threats may lead to high-priority business risks.

Security Assessments

AEGIS Provides Policyholder Benefits

Cybersecurity Risk Assessments

Strategic direction and risk advice

Independent validation of current risks

Early sight of emerging risks

Bridge the gap between cyber threats and business impacts

Improved coverage and pricing



Supports the evaluation, prioritization and improvement of security capabilities against current risks and the wider sector.



Cybersecurity Maturity Assessments

Strategic direction and risk advice

Independent validation of current risk management and security

Improved coverage and pricing

7/30/2014




Detailed and contextualized threat intelligence directs risk and security capability against the most critical risks and immediate threats.



Periodic Threat Briefings

Accurate intelligence to support risk assessment and management

Reduced exposure to critical security incidents

Indicators of Compromise Early sight of emerging risks



Cyber incidents require time-critical specialist support to investigate and remediate. We ensure that policyholders are prepared to respond and are supported in doing so.

Incident Response


Incident Response AdvisoryIncreased resilience and

efficient remediation

Incident Management Reduction in incident duration

Incident Response / ForensicsCompliance with regulatory

requirements

Technical Remediation AdvisorySpecialist third-party technical

expertise

7/30/2014




Supporting the membership and policyholders is key to reducing losses and providing the required coverage. Through our ongoing engagement and experience in cyber security we will provide ad-hoc advice to members with cyber concerns or questions.

Advisory Services


Ad-hoc advisory Increased security awareness

Good practice guidance Accurate risk mitigation

Access to forums / working groups Reduced consultancy costs


Cyber Insurance Lifecycle

Our policy process ensures accuracy of cover, access to services and tailored, timely incident management.

QueryRenewalsProcess

CoverageAssessment

Onboarding

Supporting Cyber Services

Threat Intelligence

Policy Coverage Period

CyberIncident

Incident Response

Claims Management


Security Benchmarking

Advisory Services

7/30/2014



Cyber Insurance Roadmap

PHC2014

Strategic Partnerships

Security Assessments LaunchOn-boarding and service development

Threat Intelligence LaunchMembership Engagement

Further Product Development…

PHC2015


Cyber Insurance Market Engagement

• Cyber is becoming a focus area for government as well as business

• This could lead to excessive regulation, increased compliance risk and “one size fits no one” standards

• AEGIS will engage alongside policyholders to represent their interests

7/30/2014



Real

group

effort.

a practical guide to getting your hands around cyber risk · ancock_cyber_risk 1 aegis 2014...

Documents