Control Engineering Online Update for March 11, 2005
March 11, 2005 |
Highlights | Sponsored by IPD |
The financial approach to control system security investment involves forecasting the project return rate over a period of time, relative to an established hurdle rate. Risk projects are treated the same as any other project, such as capacity additions and efficiency improvements. | ipd’s latest Vision Appliance, iNspect, is a pre-packaged vision solution designed for high-speed applications requiring single or multiple views of a part. With the ability to accommodate views and processing for up to three cameras, iNspect performs up to ten times that of comparable smart camera solutions. Learn more about iNspect at www.goipd.com/Products/iNspect/default.htm |
Control System Security ROI Deploying cybersecurity measures, especially in mission-critical environments where a single breach could have catastrophic consequences, has become a priority. Though the rational justification for instituting these protections is intuitive, control system operators and IT executives typically must provide business justifications for cybersecurity investments. This may entail either risk mitigation or financial justification. Data from surveys1indicate that 59% of corporations employ a risk mitigation approach, while the remainder employ financial justifications. Steps to risk reduction The first step involves identifying the major risk mitigation opportunities available to the organization. The analysis typically utilizes categorization to recognize the fact that some candidates are either more important than others, or may require special treatment. In the power industry, for example, regulatory mandates (such as the new NERC cybersecurity standards CIP-002 through CIP-009) must be implemented. The next step is to rank the risk mitigation projects within categories based on a number of factors, from the criticality (severity and probability of the risk occurring) and cost of mitigation, to the duration and value/return of the project. With the evaluation data in hand, a decision can be made regarding which risks will be managed, and which risks will be accepted. Continuing with the power industry example, projects implementing electronic perimeter protection and installing electronic access controls are both nominated as risk management candidates. Both are placed in the mandatory compliance category, since they will contribute to NERC CIP certification. However, the former has a higher estimated return, and is more critical because no solution currently exists, while the latter automates an existing manual solution. Due to limited funding, the electronic perimeter project achieves funding in 2005, while the access controls project does not. Finally, since the risks facing organizations often change on a daily basis, this analysis process needs to be repeated regularly. As the risks and business environment change, a project that has been rejected in the past may be reconsidered in the future. To complete the example, in 2006 the organization will again consider the access controls project. This time its ranking places it in the fundable category. Return on investment Though many organizations require the ROI model to justify any financial investment, it has traditionally been difficult to apply this approach to security investments. To quantify and estimate project returns of cybersecurity investments for control environments, Verano has developed a Return on Security Investment model. For the purpose of illustration, we will extend the electronic perimeter example above to include other desirable functions, such as control application and network intrusion detection. Financial factors
To ensure the logic behind this framework is clear, an example is presented below; note: the time value of money is not included in the calculations and a three-year time horizon is assumed. Financial model To model the impact of per incident costs on your environment, an estimate must be made of how often those incidents occur. This requires an analysis of three issues:
With this data in hand you can estimate each per incident cost using the formula:
To calculate the incident costs, you need financial data related to operation of the plant. In this three-unit example we use the following assumptions:
Using these assumptions, we populate the model for the first scenario in which the breach causes a total plant outage:
This model is then rerun for other scenarios. For instance, it is much more likely that a breach will result in the outage of a single unit, rather than the whole plant. In this case, we run the same model as above—the costs are lower, but the probability of the consequence is higher:
Note that the expected loss from a single unit outage is similar in magnitude to a plant outage due to the probability factor. Similarly, you can run a model where no outages result. In this scenario, operational efficiencies are shown from features like network anti-virus protection, intrusion prevention, rogue machine detection, network monitoring, and integrated repository.
The final step is to add the per-incident scenarios to the fixed cost savings estimates to generate a total annual return from the security investment. In this case, the results were security audit and incident reporting efficiencies of $150,000. We then calculate the ROI using total savings less incremental costs generated by the investment over three years, divided by the investment cost:
The model presented above provides a template that can be used, with industry sources and internal estimates, to develop a business case that justifies investments in securing your mission-critical infrastructure. Al Cooley, is director of security marketing at Verano Inc.; www.verano.com References |
Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our WTWH Media editorial team and getting the recognition you and your company deserve. Click here to start this process.