How do you measure cyber risk? The pat answer is likelihood X impact, but in reality neither of these variables are very well understood. Most cyber incident databases are inadequate due to a lack of reporting or, more often, a lack of recognition of an incident. A control system that falls offline or mis-behaves is often repaired or replaced as soon as it is discovered. That is the mandate of high availability systems. Cyber forensics or event analysis (in most trivial cases) are never part of operational uptime.
The other challenge in understanding risk and impact is in the question of how do you measure how you are doing if nothing happens? I often joke that if you follow all of my recommendations for optimum security then nothing will happen! This is over-simplified and not at all true, but we can't simply throw our hands up and say it can't be measured.
OT cyber security is one of the fastest growing concerns with literally thousands of products, services and vendors promising the moon when it comes to how you should be protecting yourself.
That is why I love this latest podcast from our very own Ron Brash. Ron and Andrew Ginter sat down with our friends at Waterfall to talk about how you measure or quantify risk and remediation.
Check it out: