a practical guide to getting your hands around cyber risk · ancock_cyber_risk 1 aegis 2014...
TRANSCRIPT
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 1
AEGIS 2014POLICYHOLDERS’ CONFERENCE
B R E A K O U T S E S S I O N
A Practical Guide to Getting Your Hands Around Cyber Risk
AEGIS 2014POLICYHOLDERS’ CONFERENCE
C Y B E R S E C U R I T Y R I S K A S S E S S M E N T
Tom McDonnellManager, Insurance & Operational Risk Management
FirstEnergy Corp.
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 2
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Scope
• Risk Assessment
A combination of the Department of Energy’s Cyber AssessmentProcess, Factor Analysis of Information Risk (FAIR), a Threat-Vulnerability-Consequence Matrix, and FirstEnergy’s risk assessment process
• Purpose
To identify FirstEnergy’s Cyber Security risks, threats, and vulnerabilities
To quantify the risk exposures in financial terms, document current mitigation strategies, determine reporting frequency, and decide on risk mitigation / transfer strategies
• Players
(1) Cyber Security / IT Compliance, (2) Corporate Risk, (3) Subject Matter Experts (“SMEs”) in various organizations [IT, Fossil, FENOC, Energy Delivery, Smart Meter]
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Structure
Environment Definition
1. InformationTechnology
Corporate network, email, SAP, Energy Management System / Generation Management System (EMS/GMS)
2. Fossil OperationsFossil plants and related equipment / cyber systems
3. Energy DeliverySubstations, transmission lines and related cyber systems
4. FENOCNuclear plants and related equipment / cyber systems
5. Smart MeterSmart Meters, wireless communications, other smart electricity distribution related cyber systems
The Cyber Security Risk Assessment is broken into the following environments
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 3
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Structure (cont.)
Risk Category Definition
1. PeopleThe risk that people (employees, third party personnel, the public) could have an adverse impact to our cyber systems
2. ProcessesThe risk that processes and procedures (missing, deficient or poorly implemented procedures) could have an adverse impact to our cyber systems
3. TechnologyThe risk that IT systems (component failure through design, implementation, and / or maintenance) could have on our cyber security systems
4. External FactorsThe risks that outside factors (natural disasters, nation state attack, etc.) could have an adverse impact on our cyber systems
Risk categories within each environment
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Quantification Methodology
• Conducted meetings with SMEs to identify and quantify Cyber Security Risks in each category:
Identified (1) threats, (2) vulnerabilities, (3) affected assets, (4) range of consequences, and (5) current mitigation strategies
Quantified the minimum / most likely / maximum impacts based on:
• Primary costs (i.e. production costs, response cost, replacement cost)
• Secondary costs (i.e. regulatory fines, legal costs, competitive advantage)
Estimated the frequency / likelihood of an incident(“incidents per year”)
• Developed a Loss Distribution for all Cyber risks using the product of a Poisson Distribution (Frequency) and a Pert Distribution (Impact)
This allowed the team to represent the risks in financial termsby showing it as a Value at Risk (VaR) calculation
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 4
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Threats – Vulnerability – Consequence Matrix
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Threats(Attackers)
Vulnerabilities Consequences
Threats – Vulnerability – Consequence MatrixScenario: Nation State attacks FE with determination, resources, and expertise with the goal of causing a significant BES outage
Nation StatePerforming a complex and
multifaceted attack
Employees with privileged access to network,
systems, etc.
Virus / malware infection
Zero-day software vulnerability
User clicking on phishing or spear phishing link or
opening a malicious attachment
Wide-spread BES outage
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 5
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Threats(Attackers)
Threats – Vulnerability – Consequence MatrixScenario: Cyber criminal and current disgruntled employee attack FE cyber infrastructure to gain customer information such as SSNs, bank account information, with a goal of profiting from identity theft
Data breach:all or most FE customer records compromised
(more than 100,000 records)
Weak/inadequate encryption of stored information (data at rest)
Employees with general access to network, systems, etc.
Misconfiguration of cyber assets to allow easier compromise
Insecure encryption key management system and/or
network protocols used
USB jump drive accessibility and use
Current / former disgruntled employees:
intentional compromise of cyber assets
Cyber criminals:skilled Cyber criminals targeting
FE for monetary gain
Vulnerabilities Consequences
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Results – Top Maximum Foreseeable Losses
• The 99% Confidence Level (CL) represents a worst case scenario with a very low likelihood of occurrence
• Although not represented here, Smart Meter is considered an emerging risk due to uncertainty and newness of the technology
CODE Threat Vulnerability ConsequencePotential
Frequency *99% CL
Impact ($M)
IT02 Cyber CriminalsInadequate procedures /
compromised cyber systemsNetwork Data Breach 0.49 $144.8
FO01Cyber Criminals / Spear
Phishing / Malicious InsidersPrograms / Procedures
are inadequate or not followedFossil Outage 1.00 $129.0
FO04Cyber Criminals / Spear
Phishing / Malicious InsidersMisconfiguration Fossil Outage 1.00 $129.0
FN07Cyber Criminals / Spear
Phishing / Malicious InsidersCyber systems
inadequate or brokenNuclear Outage 0.33 $102.9
FN06Cyber Criminals / Spear
Phishing / Malicious InsidersInsufficiency system
documentationNuclear Outage 0.33 $102.9
FN02Cyber Criminals / Spear
Phishing / Malicious InsidersReliance on 3rd Party
SupportNuclear Outage 0.33 $102.9
ED02 Nation State AttackCompromised Cyber
Control SystemsWide-spread BES Outage 0.50 $ 64.0
FN04Cyber Criminals / Spear
Phishing / Malicious InsidersControl System Failure Nuclear Outage 0.50 $ 48.8
FN01Cyber Criminals / Spear
Phishing / Malicious InsidersPrograms / Procedures
are inadequate or not followedNuclear Outage 0.49 $ 48.8
EDO1 Cyber CriminalsCompromised Cyber
Control SystemsRegional / Local BES
Outage1.00 $ 47.7
ED08Cyber Criminals / Spear
Phishing / Malicious InsidersReliance on 3rd Party Support
Regional / Local BESOutage
1.00 $ 47.7
(99th Percentile)
* Potential Frequency – # of events per 5 years
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 6
AEGIS 2014POLICYHOLDERS’ CONFERENCE
P R E V E N T I N G T H E I N E V I T A B L E
Gail L. ChamblissDirector, Financial Risk Management
PNM Resources, Inc.
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Why should we care?
“After years of warning the U.S. electric grid & critical infrastructureare dangerously vulnerable, experts fear it may take a major destructive attack to jolt CEOs out of complacency…”
Reuters, May 16, 2014
“Eastern European attackers, Energetic Bear, gain accessto energy providers by tampering with industrial control systems software updates…”
IDG News, June 30, 2014
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 7
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Legal Risk
ITOps
What are the potential exposures?
Third-Party Exposures
• Release of confidential or protected data
• Failure to supply
• Third-party property damage
• Third-party bodily injury
• Loss of customers
First-Party Exposures
• Physical property damage
• Non-physical damage (data, software)
• Loss of revenue
• Extra expenses
• Reputational damage
AEGIS 2014POLICYHOLDERS’ CONFERENCE
How do we govern?
Board of Directors
Audit & Ethics Committee
Senior Management
Supply Chain
Internal Audit
ITArchitecture
Power Operations
Enterprise Risk Management
Cyber SecurityGovernance Committee
NERCCompliance
T&D
Strategy & ERM
Generation
LegalCIOSecurity &
ComplianceRiskMgt.
Energy Technology & Strategy
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 8
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Policiesand
Procedures
Operations
Supplier Management
How do we tackle?
• Linkage to ERM Risk Map
• Cyber Security Governance Committee
• Policies and Procedures
Information Security
Cloud Computing
Data and Record Management
• Supplier Management
Risk Assessment
Insurance Risk Matrices
• Awareness
Employees, partners, regulators, etc.
Bring your own device
• Operations
Developing technology
Coordination of physical and cyber security
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Third-Party Assessments
& Testing Contractual Risk Transfer
Collaboration Workshops
(external groups)
Evaluating DisclosuresEmployee
Awareness Education
FERC, NERC, CIP, SOX
Compliance
Developing Core Asset Technology
Cyber Liability Insurance
Managing a Dynamic Cyber
Risk Environment
What do we do day to day?
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 9
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Scenario PlanningScenario Planning
Where do we go next?
Continuous Risk AssessmentContinuous Risk Assessment
ConsistencyConsistency
Team Service Coverage
Identify PartnersIdentify Partners
Business Exposures Innovation
Insurers Forensics
Knowledge
PublicRelations
SupportSupport
Board of Directors
Cross Functional
Adaptability & FlexibilityAdaptability & Flexibility
Table Top Exercise Debrief
Engage Stakeholders
Lead Risk Dialogue
Ask the Tough Questions
PNMR Cyber Partners
Continuous
Operations
Claims Guide Broker
Risk Appetite
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Closing ‒ Questions?
18
Good Luck!
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 10
AEGIS 2014POLICYHOLDERS’ CONFERENCE
A P R A C T I C A L G U I D E T O G E T T I N G Y O U R H A N D S A R O U N D C Y B E R R I S K
Rick WelshHead of Cyber Insurance
AEGIS London
Joe HancockCyber Security Specialist
AEGIS London
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Overview
• The need for Cyber Insurance
• AEGIS Cyber Coverage and Services Overview
• AEGIS Cyber Coverage Customer Lifecycle
• AEGIS Cyber Roadmap
• AEGIS Cyber Engagement
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 11
AEGIS 2014POLICYHOLDERS’ CONFERENCE
The Need for Cyber Insurance
• Cyber security is a problem for Energy in a way that information security wasn’t
• Energy companies are a clearly a target for advanced attacks moving beyond those from criminals
• Targeting Operational Technology (OT) with real-world impacts
AEGIS 2014POLICYHOLDERS’ CONFERENCE
The Operational Technology Problem
Increasing ExposureThe need to maintain operational availability makes updating and patching OT a significant challenge, with technology becoming increasingly more exposed.
IT / OT ConvergenceThe lines between corporate IT and operational environments are becoming increasingly blurred as organisations seek to realise efficiencies.
Improving Adversaries
Attackers are increasingly focusing on OT, we’ve seen an increasein capability emanating from foreign countries, including less well-known nations. Capability resides mostly in nation states. Expertise less widespread than IT.
Safety Critical RisksSafety critical systems are a particular risk – the impacts on safety cases are not fully explored. Safety impacts on security are also not well understood in the security community.
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 12
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Existing Cyber Insurance Products
It’s unclear in the marketplace which policies cover losses resulting from a cyberattack; our CyberResilience DIC solution fills this void
CyberReslience DIC Coverage
CyberResilience Coverage
TerrorismCoverage
PropertyCoverage
Excess Liability Coverage
Casualty Coverage
Existing AEGIS Coverage
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Our Cyber Coverage
• Risks covered
Property Damage
Bodily Injury
Business Interruption
Data Breach
Cyber Extortion
Data Recovery
Network Security
Media Liability
Forensics – IT and OT
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 13
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Supporting Cyber Risk Management
• Our cyber solution extends much further than just traditional risk transfer
• Our goal is to support the membership and policyholders in long-term cyber risk management
AEGIS Cyber
Coverage
Threat Intelligence
Risk Assessments
Security Benchmarks
Incident Response
Bodily Injury
Property Damage
Data Loss
BusinessInterruption
DataRecovery
CyberExtortion
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Key Supporting Services
We believe that both effective risk management and cyber security controls, when properly implemented, are crucial to managing cyber risk alongside our coverage.
Critical Success Factor AEGIS Services
Proportionate Risk ManagementRisk assessment
Security benchmarking
Accurate Risk Management Threat intelligence
Increased ResilienceIncident response
Security advisory
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 14
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Key Service Concepts
Appropriate and proportionate risk management requires robust risk assessment. Our business risk focused assessment helps identify how cyber threats may lead to high-priority business risks.
Security Assessments
AEGIS Provides Policyholder Benefits
Cybersecurity Risk Assessments
Strategic direction and risk advice
Independent validation of current risks
Early sight of emerging risks
Bridge the gap between cyber threats and business impacts
Improved coverage and pricing
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Key Service Concepts
Supports the evaluation, prioritization and improvement of security capabilities against current risks and the wider sector.
Security Assessments
AEGIS Provides Policyholder Benefits
Cybersecurity Maturity Assessments
Strategic direction and risk advice
Independent validation of current risk management and security
Improved coverage and pricing
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 15
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Key Service Concepts
Detailed and contextualized threat intelligence directs risk and security capability against the most critical risks and immediate threats.
Security Assessments
AEGIS Provides Policyholder Benefits
Periodic Threat Briefings
Accurate intelligence to support risk assessment and management
Reduced exposure to critical security incidents
Indicators of Compromise Early sight of emerging risks
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Key Service Concepts
Cyber incidents require time-critical specialist support to investigate and remediate. We ensure that policyholders are prepared to respond and are supported in doing so.
Incident Response
AEGIS Provides Policyholder Benefits
Incident Response AdvisoryIncreased resilience and
efficient remediation
Incident Management Reduction in incident duration
Incident Response / ForensicsCompliance with regulatory
requirements
Technical Remediation AdvisorySpecialist third-party technical
expertise
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 16
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Key Service Concepts
Supporting the membership and policyholders is key to reducing losses and providing the required coverage. Through our ongoing engagement and experience in cyber security we will provide ad-hoc advice to members with cyber concerns or questions.
Advisory Services
AEGIS Provides Policyholder Benefits
Ad-hoc advisory Increased security awareness
Good practice guidance Accurate risk mitigation
Access to forums / working groups Reduced consultancy costs
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Cyber Insurance Lifecycle
Our policy process ensures accuracy of cover, access to services and tailored, timely incident management.
QueryRenewalsProcess
CoverageAssessment
Onboarding
Supporting Cyber Services
Threat Intelligence
Policy Coverage Period
CyberIncident
Incident Response
Claims Management
Security Assessments
Security Benchmarking
Advisory Services
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 17
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Cyber Insurance Roadmap
PHC2014
Strategic Partnerships
Security Assessments LaunchOn-boarding and service development
Threat Intelligence LaunchMembership Engagement
Further Product Development…
PHC2015
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Cyber Insurance Market Engagement
• Cyber is becoming a focus area for government as well as business
• This could lead to excessive regulation, increased compliance risk and “one size fits no one” standards
• AEGIS will engage alongside policyholders to represent their interests
7/30/2014
Wed_BKO_McDonnell_Chambliss_Welsh_Hancock_Cyber_Risk 18
AEGIS 2014POLICYHOLDERS’ CONFERENCE
Real
group
effort.