Risk management can deliver value for customers, shareholders and the environment. New technologies and expanding business models present both opportunities and risk. You can make better decisions when you have increased access to industrial process data, digital innovations and intelligence on the evolving threat landscape. Additionally, critical infrastructure organizations have extended their supply chain processes and systems beyond their operations to include supplier and customer processes and systems.
These developments improve business productivity, even as utilities have become more reliant on the security posture of suppliers and consumers. Disruption to security systems can directly impact the process flow between suppliers and consumers. Information technology (IT) security specialists frequently struggle under the industrial processes supported by industrial control systems (ICS). Similarly, ICS specialists may be aware of IT security risks but not truly understand them. Because of these blind spots, companies may not be prepared to address the full range of security and business risks that stems from being part of the connected industry, including ICS and SCADA environments.
4-Phase Approach to Risk Management
As we work to help utilities develop a risk management program, we progress through four phases that facilitate complete and clear processes:
- Phase 1 - Assessment
Focus: Leadership and governance - Phase 2 – Planning
Focus: Standards and regulations - Phase 3 – Coordination
Focus: Integration of independent risk management activities - Phase 4 – Implementation
Focus: Integration of independent internal control activities
Expanding Response to Meet the Need
The severity and frequency of cybersecurity attacks in critical infrastructure sectors continue to grow as cybercriminals, hacktivists, terrorist organizations and nation-state actors become increasingly sophisticated. Cyberthreats are moving beyond information technology and are now directly targeting critical plant operations.
But asset owners often remain focused on fortifying defenses from an outside-in perspective, while an equal or greater concern may be the risk posed by insiders — a risk that cannot be prevented by an air gap or other common defense. Other challenges that can exacerbate issues include improper network design and data flows, as well as control system misconfigurations. Cyber risk will continue to grow as companies digitize and modernize plant operations.
Our risk assessments are based on comprehensive, experienced analysis — examining requirements, extreme physical events, maintenance and management of assets, monitoring and situational control, protection system failures, and event response and recovery.
For electric utilities, successful application of risk management practices integrates critical models into all facets of the organization, from new facilities to asset inventories to new processes. We combine risk management knowledge with critical design thinking and industry-proven standards, delivering a framework that addresses the specific enterprise risks you face and your unique compliance cycle.
Risk Management Planning
A risk assessment is of limited value without a comprehensive plan to address the identified risks. Our team applies an accessible, scalable and documented process that allows our team to continually assess, document, analyze, mitigate and report status throughout the project life cycle:
- Identification. Develop a consolidated, agreed-upon list of risks and a risk register.
- Analysis. Rate each risk according to probability and impact. Assign priorities and ownership. Develop a mitigation strategy.
- Mitigation and handling. Define the response strategy and confirm ownership of actions. Update the risk register to align.
- Monitoring. Report on risks and update mitigation strategies.
- Escalation. Develop a process to advance risk to issue status — meaning it’s no longer a question but rather has developed into a condition that is currently affecting objectives. Reporting remains consistent, but mitigation strategies may require additional development until the issue is minimized.
