POWER March 2016 - 38

CYBERSECURITY
events remains unclear.
Pollet pointed to the 2003 Northeast
Blackout, which began when an alarm and
logging server operated by FirstEnergy in
Ohio crashed (and then caused a cascading
series of crashes on connected energy management
system servers). This left the control
room operators unaware of multiple growing
problems on their system. NERC would later
point to the lack of proper monitoring of the
alarm detection system-there was no failure
detection, so operators had no way of knowing
the alarm monitor was down-as one
cause of the blackout.
" If a company doesn't have people ready
to respond, doesn't have the proper technologies,
doesn't have the proper logging to be
able to understand what happened, when it
has the spotlight showing on them [after a
network breach] their financial hit is going to
be that much greater, " Pollet said.
Backups and Restoring Data
Pollet drew a clear distinction between wellprepared
generators and poorly prepared
ones in how they handle their data backup
and restoration processes. That process has
gone far beyond traditional tape drives and
CD-ROMs.
" We have clients who have embraced
technologies like virtual machines so they
can restore and recover their assets within
seconds, " he noted. Other generators, by
contrast, " take a CD-ROM backup and stash
it somewhere. Then they don't test their recovery
processes or their recovery CD, so if
in fact they were to have an Internet outage,
they don't have the ability to recover quickly,
if they even have the staff to manage it. "
When that happens, small problems can cascade
into big ones, and big ones can become
existential threats.
While NERC CIP-009-6 requires companies
to develop and test backup and recovery
plans, it does not dictate a specific method.
That means a company taking the least expensive
and least complicated approach may
be in compliance while being badly exposed
to potential problems.
Public Relations
Reputational risk management in cybersecurity
is often not a key priority, even though
substantial reputational damage can result
from what are essentially insignificant incidents,
such as distributed denial-of-service
attacks on the company website or other
public-facing gateways. Generators that are
well prepared with a dedicated response team
can mitigate these attacks quickly enough to
avoid significant attention, Pollet said. Poor
preparation, by contrast, can turn otherwise
insignificant incidents into major black eyes.
38
Preparation needs to go beyond the IT
department, however. Cybersecurity training
should include personnel in public-facing
roles such as media relations, so that those
employees are properly prepared to understand
and explain cyberattack events to the
public when they occur. Even if an event is
properly handled behind the scenes, mismanaging
the public perception can result in siginsurance
to colleagues.
The market for cybersecurity insurance
is clearly growing. The PricewaterhouseCoopers
study forecasts that the
global market will expand from $2.5 billion
in 2016 to $7.5 billion by 2020.
Barbican's White noted that the biggest
risk is the financial fallout from interruptions
in normal business operations. He pointed
. . . the Ponemon study also found that
of the 56% of responding organizations
that had experienced a material security
exploit or data breach during the previous
24 months (averaging $9.4 million
in financial impact), 70% became " much
more interested " in purchasing a policy
afterward.
nificant reputational damage.
By contrast, a generator that is ready with
solid information on what happened and
the ability to explain it clearly can weather
otherwise potentially embarrassing events
in good shape. Media relations employees
should have a good basic understanding of
cybersecurity issues so that incidents can be
described accurately and terminology used
correctly.
Cybersecurity Insurance
Given the wide-ranging risks from cyberattacks,
one might think cybersecurity insurance
would be widely used. But in fact, a
2013 study by the Ponemon Institute found
that only 31% of responding companies carried
such a policy. Further, of those that did
not, 43% had no plans to purchase one. Cost
and policy exclusions were the main reasons
cited for this reluctance.
However, the Ponemon study also found
that of the 56% of responding organizations
that had experienced a material security exploit
or data breach during the previous 24
months (averaging $9.4 million in financial
impact), 70% became " much more interested "
in purchasing a policy afterward. This
suggests that companies taking a " wait and
see " approach often find out the hard way the
value of a cybersecurity policy.
The same study found that of those organizations
with policies, 71% felt the premiums
were fair (or too low) and 67% were likely or
extremely likely to recommend cybersecurity
www.powermag.com
to a 2015 Lloyd's study, " Business Blackout, "
that estimated potential impacts from a
remote-but-plausible large-scale cyberattack
on the U.S. grid could run into the hundreds
of billions of dollars.
" The study showed that business interruption
losses were, by some way, the largest
constituent of the overall loss figure. It is
imperative that companies understand how to
quantify their potential business interruption
losses and factor these into the scope of their
insurance cover. "
He also mentioned an ominous element of
this risk.
" The question here is not so much
whether cover is available, " he said, " but
rather whether there is sufficient capacity
within the insurance sector to meet overall
demand. Some of the large-scale power
companies will require multi-billion dollar
limits; however, the insurance market is
not currently in a position to provide that
level of cover. "
That means that proper preparation to
guard against and mitigate damage from cyberattack
is all the more important.
" It is important to remember that this is
a plausible situation that is being assessed
with realistic potential loss estimates, " White
warned. " Using [the 2015 study scenario], it
is clear that those without adequate protection
in place leave themselves vulnerable to
severe financial losses. " ■
-Thomas W. Overton, JD is a POWER
associate editor.
POWER | March 2016
http://www.powermag.com
POWER March 2016

Table of Contents for the Digital Edition of POWER March 2016
