Industrial Network Security – Evaluating the Risks

Finding a way to determine the right level of investment in ICS and SCADA Security has been an ongoing challenge for industry. In an earlier article the Total Cost of Ownership approach for calculating investment level was described. Today I present another method called Value at Risk (VaR).

Value at Risk for Process Automation Companies

Value at Risk (VaR) has existed within the financial world for a long time and is used to measure risk while it happens. Managing the risk of financial investments, and the small potential of catastrophic loss, has come to separate the winners from the losers within the world of finance.

How big of a role can VaR play within risk management of a manufacturing or process automation company? While all companies within the automation sector allocate resources to managing risk, many do not know how to apply risk management to security intrusions or ICS vulnerabilities.

Black Swan Events

Nassim Nicholas Taleb, an economist, wrote an interesting book regarding the financial crisis of 2008 called the “Black Swan.” In this book Nassim states that the probability of catastrophic events occurring is often incredibly minuscule day-to-day, but is also inevitable.

Black swan theory characterizes major financial, scientific and historic events as being undirected and unpredicted. The phrase was coined when the black swan was presumed not to exist, and now generally means something that is rare, or to indicate the fragility of any system of thought.

Even with all of the economic insurance mechanisms set throughout the global financial system, economic catastrophes (or crashes) occur about once every 30 years. While you may be thinking, “How does this apply to network security?” consider the following:

• McAfee Labs collected more than 83 million pieces of malware samples by the end of the 2012 period, up from 75 million samples at the end of 2011.
  
• McAfee Labs collected more than 8,000 total mobile malware samples in first quarter of 2012.
  
• 79% of the organizations surveyed in the 2012 Evalueserve: State of Security Report indicated data loss and unauthorized outside access as the primary security threats in their security plans.
  
• Additionally, only 59% indicate that these threats are addressed with a clear approach within their plans
  

Critical SCADA and process networks have real output that is tied directly to revenue. It is logical to assume that your network has a much higher probability of failure than the global financial system. Considering recent economic events, this may not be too comforting. However, like in finance, assets within the automation sector can be responsibly managed and insulated from considerable risk by making key strategic investment decisions regarding network security.

Doing the Math with the Altman Z-Score

Now let's get specific. Operational risk management must take security intrusion, and the cost of such risk, into consideration. To do so we will use a variation of the financial VaR calculation called the Altman Z-Score. It has 3 components:

1. time period
2. confidence level
3. loss amount

The objective of the VaR is to discover the amount of money that a specific investor, or firm, can - with a 95% or 99% level of confidence - expect to lose in dollars over a year.

If you are a public manufacturing company, calculate your Altman Z-Score (VaR) as follows:

• 1.2 x Working Capital / Total assets +
• 1.4 x Total retained earnings / total assets +
• 3.3 x Profit before tax and interest / total assets +
• 0.6 x Market value of the company / Book value of debt +
• 1.0 x Sales / Total assets.

Paul Santos provides a real-life example of this calculation for a coal producing company. He explains that it is likely to go into bankruptcy because its financial position is not strong enough to withstand a major shock. He does not say what that shock might be. He just knows that bad things that are unpredictable in nature happen consistently over time.

If you are a private manufacturing company, calculate your Z-Score as follows:

• 0.717 x Working Capital / Total assets +
• 0.847 x Total retained earnings / total assets +
• 3.107 x Profit before tax and interest / total assets + 0
• .420 x book value of assets / Book value of debt +
• 0.998 x Sales / Total assets.

The result of this calculation will be the likelihood of your company entering bankruptcy because of a major event, be it cyber, financial, environmental or otherwise. Here is how to evaluate the results:

Altman Z-Score	Implications
3.0 or higher	The company is considered to have low risk.
2.7 – 3.0	The company will likely survive, but is below the threshold of relative safety.
1.8 – 2.7	There is a 95% chance of a company going bankrupt in two years.
< 1.8	Highly likely headed for bankruptcy.

 Calculating the ROI on Investments in Network Security

If assumptions are considered regarding the potential costs and risks of network failure and production shutdown due to security intrusion, then you can acquire your return on investment (ROI) by investing in network security. Simply complete the Z-Score calculation twice:

• once without potential security event costs
• once WITH potential security event costs

For process automation organizations, the question is limited to “what is the probability that my company would fail as a result of a major event such as a catastrophic hacking attempt or a malware intrusion that shuts the company down?” The calculations can only be done if some baseline cost assumptions are made including:

• the cost per-hour of halted production,
• the potential amount of lost protection from a major network event
• the cost of damage to or replacement of key capital equipment
• the legal costs of potential disasters

The important concept to take into account when applying the Z-Score calculation is to allocate a proper “worst case scenario” to industrial network intrusion possibilities. Don’t forget that as industrial networks have become more complex, more connected to business systems and make more use of Commercial-Off-The-Shelf (COTS) technologies, they have also become more vulnerable to cyber security threats.

BP’s Deepwater Horizon Catastrophe – A Real-life Black Swan Incident

On April 20, 2010, an explosion caused by a well blowout occurred on the drilling platform of the oil rig called the Deepwater Horizon. The notorious BP Oil Spill was never tied to a network security issue, but it gives an excellent example of a black swan process incident. Simply put, the mounting pressure within the wellhead should have been recognized prior to the catastrophic explosion that caused 11 deaths, irreparable damage to thousands of miles of coastline, and an estimated $42 billion dollar in net loss to BP¹.

Now even though the Deepwater catastrophe was unlikely caused by a malware intrusion or hack, one could quantify the impact of a similar network issue on a company’s risk profile using the Altman Z-Score. In December of 2008, BP retained an exemplary Z-Score of 3.232. After the disaster, their score was nearly cut in half to 1.884. The significance of this figure is that BP nearly lost half of its value and flirted dangerously with bankruptcy. But because it had such a good Z-Score going into the event, it managed to survive.

In most operations, fiscal damages of a similar proportion to what was seen in 2010 on Deepwater Horizon would result in a complete financial meltdown and failure of the responsible firm.

Reducing the Operations Risk Profile

An important step in improving your operation risks profile, bottom-line and safety is to invest in network security measures. It is important to consider the real cost implications of a network security threat within the industrial network so that proper steps can be taken to insulate manufacturing and automation processes from excessive risk.

Today, the industrial network has become the “Achilles Heel” of many international firms and has exposed many companies, and their shareholders, to significant and unnecessary risk. Investing in industrial network security is not only responsible, but it is becoming necessary within mission critical applications.

Security solutions designed for industry are a good hedging technique to insulate your operation from cyber-born risks. They can protect vulnerable controllers from broadcast overload, improve network segmentation from the control room and sub-systems, and guard against accidental and malicious security intrusions. Of course I recommend our own Tofino Industrial Security Solution, but there are others out there.

https://www.tofinosecurity.com/blog/industrial-network-security-%E2%80%93-evaluating-risks