Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Energy Business
Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor
 · Posted in Energy Business

Recovery Time Objective is the Key Driver when planning Incident Response and Recovery

When I was a young software engineer a manager conveyed a profound lesson in managing software projects, he said “the parameters always define the deliverable”. That was way too abstract to hit home for me so he used a story to communicate the key concepts of the message. Imagine you are assigned a project from management to build an airplane. He paused for several seconds and said “you have five minutes and five cents to complete the project”.  Five minutes expressed the project deadline constraint and five cents expressed the project budget constraint. These parameters certainly did define the deliverable, a paper airplane was the only viable solution. Now I know for certain, after 40+ years developing software; the parameters always define the final deliverable.

One of those key parameters is the “project deadline”, it defines the amount of time you have to complete the project which is defined by a goal. Let’s break down the story into its key components:

  • The Goal: Build an airplane.
  • Project Deadline: 5 minutes from time(t), the start time of the project
  • Project Budget: 5 cents, the amount of financing available to complete the project by the deadline.

Let’s apply these concepts to a “cyber-incident” and the need to implement a successful recovery.

  • The Goal: Recover from a cyber-incident to enable a company to keep running and be profitable.
  • Project Deadline: Defined by the Recovery Time Objective (RTO)
  • Project Budget: Determined by the potential impact (consequences) of the incident (financial losses and other business impact) and recovery costs

Recovery Time Objective (RTO) is not a “one and done factor”. RTO is highly dependent on the potential impact of a cyber-incident and the risk imposed by “down time”. If the parachute fails to open on the way toward the ground, then the RTO is very short. In the case of Apollo 13 the RTO was days. In the Titanic case, the RTO was hours after hitting the iceberg; in this case the goal was saving lives, not the ship. Each case can have a different RTO, which BoD and C-Level Executives need to provide guidance. With regard to cybersecurity and the risk of cyber-incidents, prevention (effective proactive measures) will always trump incident response and recovery. BoD and C-Level Executives need to provide guidance regarding “risk appetite”, “risk tolerance”, “risk threshold” and “recovery time objective” to help implementers achieve company objectives with regard to cyber-incident prevention and recovery.

Energy Central is hosting a PowerSession to help Directors and Officers prepare for the SEC Cybersecurity Regulations that go live in December 2023. I hope you can join us for this PowerSession on December 14 with panelists identified as top voices in Cybersecurity from across business disciplines; Chuck Brooks, Danielle Jablanski, Jim Hempstead and Bob Zukis. We have the Boardroom to the front lines of ICS/OT covered. Hope to see you there.