Control Engineering Online Update for March 11, 2005

By Control Engineering Staff March 11, 2005
March 11, 2005
Highlights Sponsored by IPD
The financial approach to control system security investment involves forecasting the project return rate over a period of time, relative to an established hurdle rate. Risk projects are treated the same as any other project, such as capacity additions and efficiency improvements.

ipd’s latest Vision Appliance, iNspect, is a pre-packaged vision solution designed for high-speed applications requiring single or multiple views of a part. With the ability to accommodate views and processing for up to three cameras, iNspect performs up to ten times that of comparable smart camera solutions. Learn more about iNspect at www.goipd.com/Products/iNspect/default.htm

Control System Security ROI

Deploying cybersecurity measures, especially in mission-critical environments where a single breach could have catastrophic consequences, has become a priority. Though the rational justification for instituting these protections is intuitive, control system operators and IT executives typically must provide business justifications for cybersecurity investments.

This may entail either risk mitigation or financial justification. Data from surveys1indicate that 59% of corporations employ a risk mitigation approach, while the remainder employ financial justifications.

Steps to risk reduction
Whether a risk mitigation approach is implemented informally, or through formal quantitative analysis, the process: identifies measures that will decrease key corporate risks, examines the costs and benefits of each measure, and provides an overall ranking of candidate projects for funding decisions.

The first step involves identifying the major risk mitigation opportunities available to the organization. The analysis typically utilizes categorization to recognize the fact that some candidates are either more important than others, or may require special treatment.

In the power industry, for example, regulatory mandates (such as the new NERC cybersecurity standards CIP-002 through CIP-009) must be implemented.

The next step is to rank the risk mitigation projects within categories based on a number of factors, from the criticality (severity and probability of the risk occurring) and cost of mitigation, to the duration and value/return of the project. With the evaluation data in hand, a decision can be made regarding which risks will be managed, and which risks will be accepted.

Continuing with the power industry example, projects implementing electronic perimeter protection and installing electronic access controls are both nominated as risk management candidates. Both are placed in the mandatory compliance category, since they will contribute to NERC CIP certification. However, the former has a higher estimated return, and is more critical because no solution currently exists, while the latter automates an existing manual solution. Due to limited funding, the electronic perimeter project achieves funding in 2005, while the access controls project does not.

Finally, since the risks facing organizations often change on a daily basis, this analysis process needs to be repeated regularly. As the risks and business environment change, a project that has been rejected in the past may be reconsidered in the future.

To complete the example, in 2006 the organization will again consider the access controls project. This time its ranking places it in the fundable category.

Return on investment
The financial approach to security investment involves forecasting the project return rate over a period of time, relative to an established hurdle rate. Risk projects are treated the same as any other project, including capacity additions, efficiency improvements, etc.

Though many organizations require the ROI model to justify any financial investment, it has traditionally been difficult to apply this approach to security investments.

To quantify and estimate project returns of cybersecurity investments for control environments, Verano has developed a Return on Security Investment model. For the purpose of illustration, we will extend the electronic perimeter example above to include other desirable functions, such as control application and network intrusion detection.

Financial factors
A variety of financial factors can be affected by cyber-attacks on a control system, including:

Financial Factor Cause
Loss of production/generation Security breaches that impact control systems can knock out generation facilities and damage equipment, resulting in lost production, in terms MW/hour, repair costs, and restart costs.
Operational efficiencies Security breaches result in significant incremental labor to determine the cause of the breach, understand damages, remedy damages and take preventative steps. The FBI2provides actual costs for a variety of different breaches in an IT environment. Damage control efforts in control environments can be considerably more expensive due to the specialized skills and vendor involvement required.
Labor efficiencies Incremental labor costs incurred as a result of security breaches, including overtime to manage the incident/outage, complete internal and regulatory reports, etc.
Security audit and incident reporting efficiencies When investigating a suspicious activity, the security management system provides a single integrated view of events across a large number of computers and network segments. This eliminates the need to move from machine to machine looking for information, makes real-time analysis/ prevention possible and reduces the cost of forensics.
Eliminated/reduced regulatory fines Avoiding outages through proactive security management allows companies to avoid expensive side effects, such as regulatory fines.
Reduced insurance premiums Security management solutions reduce risk and, as a result, several carriers offer discounts when they are deployed.
Public relations, public goodwill, stock valuation and other intangibles Intangible factors should not be factored into a formal financial investment analysis, since these factors are difficult for operations personnel to estimate. But these can be significant costs and should not be ignored. They are best handled in the conclusion to the analysis, if your organization employs the ROI approach. The risk mitigation approach is better suited to dealing with these factors.

To ensure the logic behind this framework is clear, an example is presented below; note: the time value of money is not included in the calculations and a three-year time horizon is assumed.

Financial model
In dealing with factors listed above, fixed cost (such as annual insurance savings), and per incident costs must be treated differently.

To model the impact of per incident costs on your environment, an estimate must be made of how often those incidents occur. This requires an analysis of three issues:

  1. Which incidents are likely to have an impact on your plant? The FBI report2is a good starting place to build this list. Utilizing a survey of over 500 companies, it shows the type of security breaches experienced over the last year. Remember that control systems are often built on older, unpatched systems, so vulnerabilities that may not be common in the IT environment may still exist in the control environment.

  2. Frequency of breaches: For each type of security incident, how many times a year can you expect a successful breach given your security environment? Your historical records are the best place to search for this type of data. The answer is rarely zero. For instance, most IT organizations have virus protection in place, but invariably they experience virus infections that are not caught by the virus scanners, or are introduced through an unprotected source.

  3. Probability of consequence: Some breaches do not lead to some of the consequences listed above, while others do. For instance, a successful breach always leads to operational inefficiencies since the breach must be analyzed and repaired, but it does not always lead to an outage. For each type of incident, you also need to estimate the probability that it will cause the particular consequence.

With this data in hand you can estimate each per incident cost using the formula:

Annual loss = incident cost x annual frequency x probability of consequence

To calculate the incident costs, you need financial data related to operation of the plant. In this three-unit example we use the following assumptions:

Assumptions:
1. The costs below are based on the minimum time to return from a unit or plant upset:
– Hot Restart:Average time required to return unit to full load = 6 hours
– 625 MW (full load) X 6 hours = 3750 MWH/unit (11,250 MWH/plant)
– Unit Cost: 3750 MWH X $45/MWH = $168,750/unit + $40,000 Startup costs = $208,750
– Plant Cost: 10,350 MWH X $45/MWH = $506,250/unit + 120,000 startup costs = $626,250
2. Specific values used in this version of the model:
Lost opportunity from a unit trip $208,750
Lost opportunity from a plant trip $626,250
Installed cost of security system $50,000
Annual support costs $8,000
Costs per hour of annual labor $75
Hours per day 8
Days per week 5
3. The probability of a plant trip is similar to a unit trip due to the DCS network between units.
4. Other financial losses not included in the calculations: Equipment damages or loss time, data loss or theft, etc.

Using these assumptions, we populate the model for the first scenario in which the breach causes a total plant outage:

Scenario A Loss of Plant (3 Units)
Category Incident Cost Frequency Probability Savings
Malware Virus / Trojan
worm
$626,250
$626,250
4
2
0.05
0.05
$125,250
$62,625
Hacking DoS
Taking over machine
Zombie
$626,250
$626,250
$626,250
0.25
0.25
0.5
0.05
0.05
0.05
$7,828
$7,828
$15,656
Insider DOS
Roguemachine
$626,250
$626,250
4
4
0.05
0.05
$125,250
$125,250
Total $469,688
Note: Assumes LAN connectivity between units, increasing the probability of a cyber-incident impacting all three units.

This model is then rerun for other scenarios. For instance, it is much more likely that a breach will result in the outage of a single unit, rather than the whole plant. In this case, we run the same model as above—the costs are lower, but the probability of the consequence is higher:

Scenario B Loss of a Single Unit
Category Incident Cost Frequency Probability Savings
Malware Virus / Trojan $208,750 4 0.10 $83,500
Hacking Worm
DOS
$208,750
$208,750
2
0.25
0.10
0.10
$41,750
$5,219
Taking over machine
Zombie
$208,750
$208,750
0.25
0.5
0.10
0.10
$5,219
$10,438
Insider DOS
Roguemachine
$208,750
$208,750
4
4
0.10
0.10
$83,500
$83,500
Total $313,125

Note that the expected loss from a single unit outage is similar in magnitude to a plant outage due to the probability factor.

Similarly, you can run a model where no outages result. In this scenario, operational efficiencies are shown from features like network anti-virus protection, intrusion prevention, rogue machine detection, network monitoring, and integrated repository.

Event C – Operational Efficiencies Without Loss of Units or Data
Category Incident Cost Frequency Probability Savings
Malware Virus/Trojan $3,000 4 1.00 $12,000
Worm $3,000 2 1.00 $6,000
Hacking DOS $3,000 0.25 1.00 $750
Taking over machine $48,000 0.25 1.00 $12,000
Zombie $48,000 0.5 1.00 $24,000
Insider DOS $3,000 4 0.60 $7,200
Roguemachine $3,000 4 0.90 $10,800
Total $72,750

The final step is to add the per-incident scenarios to the fixed cost savings estimates to generate a total annual return from the security investment. In this case, the results were security audit and incident reporting efficiencies of $150,000. We then calculate the ROI using total savings less incremental costs generated by the investment over three years, divided by the investment cost:

Financial Factors Expected Cost Savings 3 Year ROI
Plant-wide scenario $469,688
Single-unit scenario $313,125
Operational efficiencies $72,750
Security efficiencies $150,000
Total Savings $1,005,563 5885%

The model presented above provides a template that can be used, with industry sources and internal estimates, to develop a business case that justifies investments in securing your mission-critical infrastructure.

Al Cooley, is director of security marketing at Verano Inc.; www.verano.com

References
1. Carnegie Mellon Software Engineering Institute, www.cert.org
2. FBI/CSI Computer Crime and Security Survey