Senior decision-makers come together to connect around strategies and business trends affecting utilities.

Post

Cybersecurity Risks: Make Wise Choices

image credit: North American Transmission Forum (NATF)
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software and SAGScore™...

  • Member since 2018
  • 1,477 items added with 627,680 views
  • Mar 5, 2022
  • 367 views

Cybersecurity risks are typically met with one of three reactions: 1) Accept, 2) Avoid, 3) Mitigate. An organizations cybersecurity risk strategy, risk appetite and risk threshold along with risk severity are key factors in determining which of these 3 actions will prevail with each identified risk on a risk register.  An organization’s CISO typically maintains the risk register identifying risks and severity along with the reaction to address each risk. The risk register is a dynamic document with new risks being added and some existing risks being changed, based on new information that changes some aspect of the risk. For example, a registered risk that was once determined to be a reaction of “Accept” may change to “Mitigate” due to a change in circumstances.  You cannot control when a new risk will enter your path or an existing risk needs to be reconsidered, but you must be prepared to choose which of the three “reaction” options is the most appropriate when the risk posture changes. The decision on which reaction is chosen comes down to an executive level decision among the people with fiduciary duties to make this risk-based decision. This article provides guidance to BoD and C-Level executives with the responsibility to make these decisions, when reacting to cyber-risks.

What do leftover Lo Mein and Miasma have in common? Answer: Both were identified as dangerous risks that caused severe health problems, when in fact the actual root cause of the health risk was completely different. I can easily imagine risk register entries for these two risks:

Neisseria meningitidis caused by eating leftover Lo Mein: Reaction: Avoid eating leftover Lo Mein

Cholera caused by Miasma: Reaction: Mitigate; wear a mask when outdoors

What is the take-away lesson from these two “risk scenarios” that will help inform BoD and C-Level executives with regard to making wise choices on which of the three reactions is most appropriate when presented with an identified cyber-risk?

The best advice I can offer BoD and C-Level executives is to request the party reporting risks to justify their conclusions by connecting the dots, keeping in mind that causation depends on correlation and correlation depends on variation and variation depends on accurate and complete data. It all begins with high quality data, and that’s good place to start asking questions.  A party presenting risks to BoD and C-Level executives MUST be prepared to connect the dots from data to causation, in order to present a viable risk, demonstrating that comprehensive research was performed that led to the conclusion of risk severity, based on likelihood and impact, using high quality data and proven statistical methods.  Here are a few sample questions that a BoD member or C-Level executive should ask a party reporting on risk severity, likelihood and impact that will help decision makers to determine an appropriate reaction; 1) Accept, 2) Avoid and 3) Mitigate.

Describe the process that led to your conclusion?

Were you able to validate your findings and conclusion with other parties that face the same risk?

What skill level is needed to carry out the attack that will cause this risk to manifest in our environment?

What is the range of impacts this risk could present? Recall the “flat tire” from the previous article.

I could list many more example questions, but I think you get the point – as a BoD member and C-Level executive with fiduciary duties you have the “honor” of deciding which reaction is most appropriate when presented with cyber-risks. Make wise decisions, based on reliable and convincing evidence.

Never trust software, always verify and report! ™

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Jim Stack's picture
Jim Stack on Mar 7, 2022

I like the way Tesla and many others pay a reward if a hacker discovers a software security weak point. It's a great way to get the hackers to help find a problem. 

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »