The need for secure control systems is a growing priority for industrial applications. Recent high profile cyber-attacks against critical infrastructure, coupled with the growing list of published equipment vulnerabilities, and the availability of tools to simplify hacking is making many industrial customers nervous. Yet attempting to fund projects to improve cybersecurity can be difficult. The one factor that all companies have in common is restricted resources. Resources can be grouped into both personnel hours and capital. The process of identifying potential projects and determining which should be prioritized is typically initiated at the beginning of each fiscal year and revisited throughout the year. The tool used to compare projects is a business case.
A typical business case is comprised of 3 key elements…
- The first is an estimate of the dollar amount that a project will generate – either through increase sales, decreased costs, or a combination of the two.
- The second is the cost to implement the project.
- The third element is a formula that allows management to take the dollars generated and the project cost to create a financial valuation of the project.
All projects are compared using the same terms (time period, cost of capital, etc.), allowing management to compare potential projects against each other and allocate limited funds to best serve the company’s interests. In this article, we will describe the difficulty in creating a cybersecurity business case for industrial applications.
We will begin by focusing on project expenditures. How much will it cost for a company to secure its control network? This is a very complex question that is further complicated by the fact that it requires a capital expenditure to properly answer. A key step to determine the cost associated with improving security in control applications involves the creation of a security plan. A security plan defines a detailed list of changes that may have to be implemented to improve security, including changes in network architecture, purchase of devices, creation and implementation of corporate security policies, and personnel training. The creation of a security plan is a project in itself. Deliverables include the following:
- Conducting a network audit to discover all elements connected to a network coupled with connection paths
- Determining the security features and settings of network equipment
- Conducting a risk assessment detailing potential vulnerabilities coupled with their threat and consequences
- Defining the target security level of a system
- Create a gap analysis defining list of proposed fixes
- Assessing existing corporate security policies and organizational training needs
Once the security plan is complete, the company will have a better understanding of the specific tasks needed to secure systems and the estimated implementation costs. Thus, the process to create a business case typically starts with funding to create a security plan, and then using the results as data to populate a business case to improve system security.
Look for Part 2 of my blog “The Cybersecurity Business Case – An Arduous Challenge” to learn more about the difficulties to create a cybersecurity business case and the recommendations to gather data to properly justify cybersecurity expenditures.