At a recent public event, Department of Energy Deputy CISO Gregg Sisson said that he’s not focused on buying security tools right now. Instead, he’s looking to leverage the FAIR cyber risk quantification (CRQ) model to help him make better strategic decisions about which tools will need to be purchased and where they will do the most good in thwarting the very attacks we fear. So, too, will Sisson leverage FAIR for strategic decision-making, such as what is eligible for cloud migration, and when.
FAIR (Factor Analysis of Information Risk) is the internationally recognized standard model for analyzing cyber risk in quantitative – in other words, financial or impact-based – terms. FAIR allows organizations to understand the real-world impact of cyber incidents, whether they be a breach scenario, system outages and downtime, integrity failures, or other operational risk events. FAIR uses actuarially sound yet straightforward methods to help organizations forecast the frequency and magnitude of future risk events. For government agencies without profit and loss concerns, FAIR helps assess the economic impact to citizens and the private sector.
A wave of federal initiatives – Executive Order 13800, FISMA, OMB and DHS directives, and more – are impelling agencies to take a risk-based approach to cybersecurity and IT modernization, and raising the visibility of FAIR to government CIOs, with DOE in the lead. What led Deputy CISO Sisson to choose FAIR? Let’s examine the DOE cybersecurity roadmap for answers.
In 2018, the Department of Energy released their multiyear plan to strengthen the cybersecurity of the energy sector. While no specific triggering event was given, there is plenty of backdrop to allow us to paint a broader picture of why this was necessary. In 2009, DHS Secretary Janet Napolitano admitted that Russian and Chinese spies had infiltrated US SCADA systems and left behind software that, if activated, could have taken down the power grid. The Stuxnet worm attack on Iranian centrifuges around 2010 and the Sandworm group’s takedown of Ukraine’s power grid in 2015 have given rise to much concern over the ability of hostile actors to take over our electrical grid infrastructure and render all our modern conveniences and way of life obsolete. It is speculated that this kind of attack might precede more traditional kinetic attacks and cause widespread panic resulting in significant casualties.
Buried within the 2018 DOE Plan are some good thoughts about how to manage the public-private partnership aspect of the U.S. power grid. Also included are plans to develop next-generation solutions to complex security problems. At one point they indicate that “the current process to identify, mitigate, and patch after the fact is not sustainable.”
For risk professionals, the core of the plan is its requirement to prioritize systems for remediation. The DOE plan lays out a strategy to reduce cyber risk across the U.S. energy sector and a key part of that plan is to focus on high-priority activities and systems. There are several goals in the 2018 plan that focus on risk management to make this difference.
Under Goal 1, Strengthen Energy Sector Cybersecurity Preparedness, sub goal 1.3 (strengthen sector risk management capabilities), the DOE discusses the following to improve risk management practices in the energy sector: Update the Cybersecurity Capability Maturity Model (C2M2) and Risk Management Process (RMP).
Further, the document makes this statement that succinctly outlines the necessities of risk-based approaches to energy-sector cybersecurity:
Strategic Imperatives for Energy Sector Cybersecurity
Use risk-based methods to prioritize actions and investments. Achieving 100% security of all systems against all threats is not possible. Resources are limited and all systems cannot and should not be protected in the same manner. DOE will use risk-based methods to make decisions and prioritize activities to support the risk management responsibilities of energy owners and operators.
Kudos are due to the DOE for making this statement; it’s an incredibly mature and sophisticated look at the complex, interconnected world in which we live. Indeed, there will never be enough resources available to fully remove all risk from our energy systems and we need to focus our efforts where we can affect the biggest change.
The DOE is making a significant stride in enabling this goal by adopting state-of-the-art cyber risk quantification using the FAIR model. When Deputy CISO Sisson selected FAIR, he was making a commitment to fully understanding the impact of cyber attacks and outages on the nation’s electrical grid. The DOE acknowledging in its 2018 plan that 100 percent security against all threats is not possible enabled Sisson to prioritize the resources at the DOE’s disposal and request additional funding for those areas that represented true risk to the nation’s infrastructure. It’s only with a CRQ method such as FAIR that cybersecurity leaders can focus an organization on high-risk systems and scenarios and provide the bulletproof rationale for headcount, resources, and funding.
There is a lot of synergy with FAIR and the DOE Risk Management Process (RMP) guidance. The RMP is the DOE’s how-to guide for conducting risk assessments in the energy sector. In this document, it discusses several factors to consider when conducting risk assessments, including framing, estimating likelihood, and estimating impact. Like many risk assessment frameworks (such as NIST and ISO), there are limited details on how to estimate or derive those variables and especially how to evaluate what the impact to the organization would be. The RMP is scheduled to be updated in FY2020 and requirement gathering for those updates is happening presently. In this updated RMP and in future versions, be on the lookout for a more explicit connection to CRQ as the DOE’s experience with FAIR increases – and expect to see similar initiatives coming out of other departments and agencies as the risk-based approach spreads.