NERC CIP released their 2735-page proposed update yesterday. Here’s what you need to know

 

After three separate drafts and a multi-year effort beginning in 2019,...

Risk Management is a discipline that deals with uncertainty and, simply put, involves the process of identifying, assessing, and controlling the impact of risks that form part of the life of a business. 

This much is obvious to everyone involved in risk management whether your role involves managing risks of your own company, assuming risks as a professional risk taker or safeguarding the financial system or the general community at large as a regulator. The challenge to successful risk management is the differing nature of risks and industrial cyber risk presents a significant challenge.

This blog is an introduction to a series of commentaries regarding the management of industrial cyber risk with emphasis on the transfer of it via insurance and alternative capital mechanisms. It is seeking to, amongst other things:

Over the last decade I have personally seen cybersecurity stakeholders evolve to become a more pivotable resource within nearly every industrial enterprise that I deal with. The reason for this is evolution obvious. Cyber risk is has become a central challenge, and experts that mitigate and manage it best are in high demand. With this notion, it is also clear that the old way of managing risk doesn't work anymore.

ICS/OT asset owners today have invested continuously in new cybersecurity and asset visibility tools to better manage their interconnected and expensive Distributed Control Systems (DCS), Energy Management Systems (EMS) and Bulk Electric Systems (BES). After a decade of witnessing this trend first-hand, I ask – is the average industrial enterprise better off?

While I will let the reader come to their own conclusion the question above, I will say that I believe cyber risk is a challenge that must be better reconciled by solution providers and the ICS/OT asset owners that they sell to. In the first half of 2021, ICS/OT-specific vulnerabilities grew by over 40%. 

Cyber risk quantification is the what the future needs – for critical infrastructures, industrial enterprises, and insurers alike. 

 

I have become the head of Marketing at DeNexus just two short months ago. Yet, we have done a lot thus far, from raising nearly $5 million dollars in our seed round, hired an experienced sales leader and built-out our engineering team by 2x. Now, I think it’s a great time to look back and highlight why I joined DeNexus and how my observations on cybersecurity in general have brought me here.

With the redesign and update of the North American Electric Reliability Corporation, NERC, Critical Infrastructure Protection, CIP, Standards and the changes to the NERC Glossary of Terms that occurred on July 1st 2016, there has been some debate within the industry on whether or not information can be stored in the cloud. Each entity makes this decision based on their individual corporate posture, but the decision usually considers at the minimum the compliance of all responsible all NERC CIP Standards. The responsibility of each Standard is based on the entity’s Impact Rating determination.

In operational technology (OT) networks, it is COST that is the driver behind nearly all cyber risk mitigation investments. Sometimes contrary to business trends, cost supplants security as a priority because security in the form of cyber risk always has a cost associated with it. In the industrial sector where legacy infrastructures are common, the cost of cyber risk can be significant. However, that 'cost' isn’t always so clear. In fact, it nearly never is, and there lies the trillion-dollar problem. Of course, the notion that cyber risk has a cost is obvious. Yet the cost of cyber risk is still neglected by the many cybersecurity solution providers and the insurance underwriters serving industrial organizations within energy, transportation, and manufacturing. No one can be blamed for this oversight because quantifying cyber risk is hard. Cyber risk has many different contributing variables. Cyber risk is dynamic, volatile, and contrary to other sources of risk, cyber risk is subject to human factors ranging, such as motive. Furthermore, sometimes digesting and managing the cost of cyber risk after quantifying it is even harder. Yet, it must be solved.