IEEE Power & Energy Magazine - September/October 2016 - 55
has yet to be an industry standard for operational, physical
asset, and OT-based compromise. While conventional databreach cyberincidents are suspected of being widely underreported, reporting ICS physical-breach cyberincidents is even
rarer, perhaps due to the difficulty to characterize events in
addition to the lack of standard industry reporting protocols
and requirements. Immaturity in ICS cyber insurance may
also be related to the fact that damage done to a utility's physical plant has typically been a property and casualty policy
concern. If an incident is attributed to cyber, physical damage
may or may not be covered. Until years of case law is established through the insurance coverage adjudication process,
the responsibility for complex "third-party" claims will surely
remain uncertain. There is also uncertainty for insurers with
respect to declaring a prudent level of business interruption
coverage capacity to offer insureds until stronger risk-mitigation practices are implemented and accurate loss-quantification tools are available. Of greater certainty is the impact of
an electric utility's outage that subsequently causes a service
outage to a commercial customer. This very likely will trigger claims on the commercial customers' business interruption and/or service interruption insurance policies, potentially
creating large-scale losses for insurers and the potential for
equally large-scale and expensive liability litigation, based on
risk accumulation.
Successful cyberattacks on utility equipment, such as
major power generation stations or large transformers, may
not only result in major capital losses but may also have the
potential to extend outages for long periods of time. Utilities and insurers may well be advised to coordinate the
development of appropriate OT cybersecurity metrics and
begin assessing physical damage and long-term service
outages caused by ICS cyber risk, rather than labor under
the provisions and assumptions underlying conventional IT
data-breach only scenarios.
Who else cares about OT cybersecurity risk? The credit
rating agencies (such as Moody's, S&P, and Fitch)! Publicly
Vulnerability
Planning
Policy and
Procedures
Tra
ini
ng
g
rillin
dD
an
I.D
.A
devices, and networks must be conducted, in essence a major
enterprise asset management "inventory relook" exercise.
Understanding the asset base; what is electronically connected and what versions of hardware, software, and patching
are installed; and what versions of control system communication protocols are being used is an important step for inventorying and developing equipment risk spectrums. A robust
risk assessment program can then serve the double duty of
cybersecurity and system reliability objectives. A tactical program should also prepare not only for intentional intrusions but
also for unintentional incidents. See Figure 3.
The development, documentation, and implementation of ICS cybersecurity policies and procedures that are
compatible with IT security, physical security, and business
continuity policies must be effectively introduced. Companies must assess their in-house capabilities, skill sets, and
likelihood to succeed. Hiring or bringing experts on board
to address gaps, both resource and knowledge based, is prudent. A representative team including OT, security, and IT
should determine security technologies, standards, and riskprioritized implementation plans. This goes well beyond the
simple implementation of firewalls and antivirus software.
Additionally, cybersecurity considerations must be incorporated into procurement activities, not just for material purchases but also proactively guarding against potential risks
borne through suppliers, partners, and contractors through
their systems or personnel access. Specifications and bidding
processes should incorporate cybersecurity requirements so
they are properly communicated as requisites to suppliers for
designing, manufacturing, testing, and supplying materials.
There are additional organizational strategies that can help
mitigate risk. One notable challenge with respect to protecting
ICSs and related equipment has been the lack of organizational
coordination between IT, operations technology, security,
safety and emergency management, risk management and crisis management functions. ICS cybersecurity may be harder to
coordinate because of this separation of IT and OT in organizational silos, but that can be addressed
once recognized. Traditionally, IT
cybersecurity has focused on data
breach, customer and intellectual
property, and data privacy protecets
ss
tion, while the OT side of cybersecurity has been focused on NERC
CIP compliance. The result is the
potential for gaps in an effective and
holistic approach to cybersecurity
risk management.
pr
ti o
Im
n
IT and ICS Cybersecurity Flow
The insurance market also faces
a challenge as IT-related policies
dominate the cybersecurity area.
OT-oriented cyber policies are far
less common partly because there
september/october 2016
ta
ve
o
Are We Covered?
Analysis
Measurement
cu
Do
m
en
figure 3. IT and ICS cybersecurity planning and implementation must be performed
together, and it is an iterative process.
ieee power & energy magazine
55
Table of Contents for the Digital Edition of IEEE Power & Energy Magazine - September/October 2016
IEEE Power & Energy Magazine - September/October 2016 - Cover1
IEEE Power & Energy Magazine - September/October 2016 - Cover2
IEEE Power & Energy Magazine - September/October 2016 - 1
IEEE Power & Energy Magazine - September/October 2016 - 2
IEEE Power & Energy Magazine - September/October 2016 - 3
IEEE Power & Energy Magazine - September/October 2016 - 4
IEEE Power & Energy Magazine - September/October 2016 - 5
IEEE Power & Energy Magazine - September/October 2016 - 6
IEEE Power & Energy Magazine - September/October 2016 - 7
IEEE Power & Energy Magazine - September/October 2016 - 8
IEEE Power & Energy Magazine - September/October 2016 - 9
IEEE Power & Energy Magazine - September/October 2016 - 10
IEEE Power & Energy Magazine - September/October 2016 - 11
IEEE Power & Energy Magazine - September/October 2016 - 12
IEEE Power & Energy Magazine - September/October 2016 - 13
IEEE Power & Energy Magazine - September/October 2016 - 14
IEEE Power & Energy Magazine - September/October 2016 - 15
IEEE Power & Energy Magazine - September/October 2016 - 16
IEEE Power & Energy Magazine - September/October 2016 - 17
IEEE Power & Energy Magazine - September/October 2016 - 18
IEEE Power & Energy Magazine - September/October 2016 - 19
IEEE Power & Energy Magazine - September/October 2016 - 20
IEEE Power & Energy Magazine - September/October 2016 - 21
IEEE Power & Energy Magazine - September/October 2016 - 22
IEEE Power & Energy Magazine - September/October 2016 - 23
IEEE Power & Energy Magazine - September/October 2016 - 24
IEEE Power & Energy Magazine - September/October 2016 - 25
IEEE Power & Energy Magazine - September/October 2016 - 26
IEEE Power & Energy Magazine - September/October 2016 - 27
IEEE Power & Energy Magazine - September/October 2016 - 28
IEEE Power & Energy Magazine - September/October 2016 - 29
IEEE Power & Energy Magazine - September/October 2016 - 30
IEEE Power & Energy Magazine - September/October 2016 - 31
IEEE Power & Energy Magazine - September/October 2016 - 32
IEEE Power & Energy Magazine - September/October 2016 - 33
IEEE Power & Energy Magazine - September/October 2016 - 34
IEEE Power & Energy Magazine - September/October 2016 - 35
IEEE Power & Energy Magazine - September/October 2016 - 36
IEEE Power & Energy Magazine - September/October 2016 - 37
IEEE Power & Energy Magazine - September/October 2016 - 38
IEEE Power & Energy Magazine - September/October 2016 - 39
IEEE Power & Energy Magazine - September/October 2016 - 40
IEEE Power & Energy Magazine - September/October 2016 - 41
IEEE Power & Energy Magazine - September/October 2016 - 42
IEEE Power & Energy Magazine - September/October 2016 - 43
IEEE Power & Energy Magazine - September/October 2016 - 44
IEEE Power & Energy Magazine - September/October 2016 - 45
IEEE Power & Energy Magazine - September/October 2016 - 46
IEEE Power & Energy Magazine - September/October 2016 - 47
IEEE Power & Energy Magazine - September/October 2016 - 48
IEEE Power & Energy Magazine - September/October 2016 - 49
IEEE Power & Energy Magazine - September/October 2016 - 50
IEEE Power & Energy Magazine - September/October 2016 - 51
IEEE Power & Energy Magazine - September/October 2016 - 52
IEEE Power & Energy Magazine - September/October 2016 - 53
IEEE Power & Energy Magazine - September/October 2016 - 54
IEEE Power & Energy Magazine - September/October 2016 - 55
IEEE Power & Energy Magazine - September/October 2016 - 56
IEEE Power & Energy Magazine - September/October 2016 - 57
IEEE Power & Energy Magazine - September/October 2016 - 58
IEEE Power & Energy Magazine - September/October 2016 - 59
IEEE Power & Energy Magazine - September/October 2016 - 60
IEEE Power & Energy Magazine - September/October 2016 - 61
IEEE Power & Energy Magazine - September/October 2016 - 62
IEEE Power & Energy Magazine - September/October 2016 - 63
IEEE Power & Energy Magazine - September/October 2016 - 64
IEEE Power & Energy Magazine - September/October 2016 - 65
IEEE Power & Energy Magazine - September/October 2016 - 66
IEEE Power & Energy Magazine - September/October 2016 - 67
IEEE Power & Energy Magazine - September/October 2016 - 68
IEEE Power & Energy Magazine - September/October 2016 - 69
IEEE Power & Energy Magazine - September/October 2016 - 70
IEEE Power & Energy Magazine - September/October 2016 - 71
IEEE Power & Energy Magazine - September/October 2016 - 72
IEEE Power & Energy Magazine - September/October 2016 - 73
IEEE Power & Energy Magazine - September/October 2016 - 74
IEEE Power & Energy Magazine - September/October 2016 - 75
IEEE Power & Energy Magazine - September/October 2016 - 76
IEEE Power & Energy Magazine - September/October 2016 - 77
IEEE Power & Energy Magazine - September/October 2016 - 78
IEEE Power & Energy Magazine - September/October 2016 - 79
IEEE Power & Energy Magazine - September/October 2016 - 80
IEEE Power & Energy Magazine - September/October 2016 - 81
IEEE Power & Energy Magazine - September/October 2016 - 82
IEEE Power & Energy Magazine - September/October 2016 - 83
IEEE Power & Energy Magazine - September/October 2016 - 84
IEEE Power & Energy Magazine - September/October 2016 - 85
IEEE Power & Energy Magazine - September/October 2016 - 86
IEEE Power & Energy Magazine - September/October 2016 - 87
IEEE Power & Energy Magazine - September/October 2016 - 88
IEEE Power & Energy Magazine - September/October 2016 - 89
IEEE Power & Energy Magazine - September/October 2016 - 90
IEEE Power & Energy Magazine - September/October 2016 - 91
IEEE Power & Energy Magazine - September/October 2016 - 92
IEEE Power & Energy Magazine - September/October 2016 - Cover3
IEEE Power & Energy Magazine - September/October 2016 - Cover4
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091020
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070820
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050620
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030420
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010220
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111219
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091019
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070819
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050619
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030419
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010219
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111218
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091018
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070818
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050618
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030418
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010218
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111217
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091017
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070817
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050617
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030417
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010217
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111216
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091016
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070816
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050616
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030416
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010216
https://www.nxtbook.com/nxtbooks/ieee/powerenergy_010216
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111215
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091015
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070815
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050615
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030415
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010215
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111214
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091014
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070814
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050614
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030414
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010214
https://www.nxtbookmedia.com