Operational risk and cyber risk can be managed on equal terms when both are quantified using FAIR™, as Mike Radigan demonstrated with a case study from a power plant presented at the 2021 FAIR Conference (FAIRCON21). Mike leads the cyber risk quantification program at a global company and chairs the Greater Ohio Chapter of the FAIR Institute.
Practitioner Use Case Panorama
FAIR Institute members can watch the video of this FAIRCON21 session in the LINK member community. Not a member yet? Join the FAIR Institute now, then sign up for LINK.
As Mike told the story, plant operators had good historical records on plant shutdowns and a good grasp of mechanical risks but come to them with a list of NIST CSF “maturity gaps” and “they will be mystified as to how and why they should care.”
Mike first took the plant operator risk list and converted those to FAIR loss event scenarios, leading to one surprise: What they thought was the top financial risk, a generator failure, turned out to be mitigated by insurance. That put the failure of a hydropower waterwall at the top of the list.
FAIR training by the most experienced practitioners of cyber risk quantification - Learn more.
With a risk ranking that the operators could sign off on, Mike next ran FAIR analysis of the cyber risks. “We needed a model that would assess both cyber and operational risk and normalize the two…FAIR is an agnostic model.”
As it turned out, based on loss exposure, a failure of the Distributed Control System (DCS), the network that ran the plant, was in fact the costliest probable risk, as it would result in an entire plant shutdown.
“We were able to get the DCS cyber risk down to a level they wanted…At that point cyber risk was clearly understood and compared to the issues plant operations cared about…Plant operations was in a position to make a rational decision regarding cyber risk management.”
Read more by Mike Radigan: Case Study: Demystifying ICS Cyber Risk with FAIR