11 January 2017

Black & Veatch Management Consulting, LLC

Justifying Utility Security Investments

11 January 2017

Today’s Speakers

David Mayers, Managing DirectorSecurity, Risk & Resilience

David Price, Associate Vice PresidentAsset Management

311 January 2017

90%

90%

94%

Aging Infrastructure

Cybersecurity

Reliability

Top 3 Industry Issues

Security is a top industry issue …

… but not a top investment priority

40%

41%

63%

Transmission Improvements(including substations)

Workforce Training &Development

Existing Asset Maintenance

Top 3 Capital Priorities

SOURCE: Black & Veatch 2016 Strategic Directions: Electric Industry Report

411 January 2017

Why is it so hard to justify security investments?

Security investments don’t provide hard ROI like other programs. To show value, security investments must demonstrate risk reduction. How do you demonstrate risk reduction?

Targeted investments …

… decrease risk

511 January 2017

Solution: Develop and Implement a Security Risk Framework

Today’s discussion centers on steps 2 – 4 of the framework and how this process supported investment in critical physical and cyber security needs of a large, Northeastern utility.

611 January 2017

Identify Assets, Systems, Networks and Functions

Divide your assets into classes or tiers based on criticality and identify the security needs of each.

Tier 1: High-Risk, Compliance-Related Assets

Tier 2: Moderate to High-Risk Assets

Tier 3: Moderate to Low-Risk Assets

Subsequent Tiers Based on

Criticality and Type

711 January 2017

Assess Risks for Each Asset Class

Consider vulnerabilities, threats and the consequences of a breach or asset failure. Utilities must also assess internal vulnerabilities and controls used to mitigate threats. Asset

Asset

Asset System

Asset Portfolio

811 January 2017

Assessing the Likelihood of Failure

Determining the likelihood of a threat occurring and/or a vulnerability being exploited.

Adversarial or Intentional EventsAccidents and

Technological FailuresNatural Events

911 January 2017

Consequence of Failure

Safety

System Reliability

Financial

Reputational

Environmental

Customer Perception

Scoring Scales Accurately Assess

Criticality

Defining the Consequence of Failure

The are many types of consequences. Some are quantifiable, like financial, safety and reliability. Others are more qualitative, such as reputation and customer perception.

1011 January 2017

Quantify Risk

Risk modeling enables utilities to quantify risk of their existing assets and develop optimized plans that balance risk and costs based on the likelihood and consequence of failure.

1111 January 2017

Risk Trajectory Illustrative Example

IR

RR

B

TR

Inherent Risk Level

Monitor effectiveness of current mitigation plan

Residual Risk LevelDevelop action plan and monitor progress

Target Risk Level

A

1211 January 2017

Identify and Prioritize

Capture the cost and benefit (risk reduction) of identified improvement opportunities.

1311 January 2017

Demonstrate Value

34,000

36,000

38,000

40,000

42,000

44,000

46,000

48,000

50,000

52,000

54,000

56,000

$0

$20

$40

$60

$80

$100

$120

$140

$160

$180

2013 2014 2015 2016 2017 2018 2019 2020

Direct Budget Allocation Emergent Work Allocation

Run to Failure Risk Profile Proposed Budget Risk Profile

54,393

37,139

42,153

An

nu

al C

apit

al S

pen

d (

No

min

al $

M)

Portfo

lio To

tal Risk Sco

re

32% Reduction in Total Risk Score

1411 January 2017

• Understand Your System

• Identify critical assets

• Know interdependencies

• Identify Vulnerabilities

• Quantify Risk

• Likelihood of failure

• Consequence of failure

• Identify Improvements

• Quantify Benefits

• Total risk reduction

• High-risk asset mitigation

• Demonstrate Value

• Seek to integrate security into your asset management programs

Summary

1511 January 2017

David Mayers

MayersD@bv.com

+1 704-510-8417

David Price

PriceDC@bv.com

+1 936-666-8003

Contact Information :

Additional Tools and Resources:

Online Security Self-Assessment: https://pages.bv.com/securityassessment.html

Subscribe to Security Insights newsletter: https://pages.bv.com/Security_Insights-Opt-In.html

www.bv.com