Show Me the Money: Estimating ROI from cyber security investments in oil refining | Automation.com

Show Me the Money: Estimating ROI from cyber security investments in oil refining

Show Me the Money: Estimating ROI from cyber security investments in oil refining

By Tom Ayral, Honeywell Cyber Security

There’s no lack of anecdotal or statistical evidence of the threat posed by cyber attacks to the oil and gas industry. The sector is widely held to be particularly at risk. In theNotPetya ransomware attack earlier this year, just three business sectors accounted for over 80 percent of targets, according to Kapersky: First was finance; third was manufacturing; but second, accounting for about a quarter of all attacks, was oil and gas.

The sector is also sometimes thought to be ill prepared. Practice at critical infrastructure firms is often poor, according to Marty Edwards, then head of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team. He’s said he is “dismayed” at the accessibility of some networks.

At least in part, that reflects a threat that is, for many, abstract and ill-defined. Despite the surveys, individual cases usually go unreported. Only the most damaging – but perhaps also, seemingly, the least likely – tend to come to light.

The reasons for hiding attacks vary, from worries about spooking shareholders and the risk of publicizing vulnerabilities, to fears of increased insurance premiums. The result is the same, though: Few details emerge of losses that could help others estimate and understand the potential cost to their own businesses and help them with decisions about investing in cyber security solutions.

Without this information, the return from investments in cyber security remains difficult to quantify.

Rather than bemoaning what we don’t have, though, we should work with what we do. Various industry studies and intelligent guess-work already allow us to develop a first-pass financial estimate of potential losses from cyber attacks – which allows an estimate of the savings that implementing an effective cyber security program could bring.

 

Counting the Cost

We’re largely reliant on anecdote – but also the few publicized examples – to identify the kinds of attack most troubling refineries. Conversations with operating companies identify twocategories as probably the biggest concerns: ransomware (such as NotPetya); and Stuxnet-type attacks.

The risk, of course, depends on both the likelihood and impact of an attack, and that will vary by business; we don’t pretend every refinery or country would be affected the same. But, again, working with what we have, there is significant data to draw on.

To start with ransomware, the most significant risk a refiner faces as the result of an attack is loss of production. If we assume a refinery with a throughout of 100,000 bpd, studies help us fill in the other key variables:

  • The refining margin, which here we can base on the average globally –  $8.00 per barrel – but which businesses will know for themselves; and
  • the average length of a denial of service attack – 17.8 days, according to the Ponemon Institute.

For the refinery in question that would equate to a loss of $14.2 million (the length of the attack multiplied by the throughput and margin per barrel).

But this takes no account of the likelihood of an attack. Again, though, we can draw on previous work.

Studies suggest 18 percent of manufacturers surveyed were attacked with ransomware in 2016, for example. Also, statistics show for industrial facilities that were cyber attacked that 20 percent of those attacks targeted the manufacturing facility – the operational technology (OT) controlling or monitoring the plant assets - as opposed to targeting the IT of the manufacturing facility. A rough estimate, then, puts the chances of a ransomware attack affecting production in a given year at 3.6 percent (20 percent of attacks targeted the manufacturing of the 18 percent of manufacturing facilities that were attacked).

Combining the figures – a 3.6 percent chance each year of a $14.2 million loss – the risk can be valued at $513,000 per annum.

 

Showing the Value

We can make a similar estimate for Stuxnet-attacks, although with less empirical evidence in support.

Attacks that deliberately push industrial processes outside safe operating limits are, thankfully, very rare, so evidence on frequency and costs is meager. It takes little imagination, however, to see the potential consequences are serious. The risks stretch beyond business interruption to threats to the plant, its people, the public and environment. Government policy is built on this assumption.

The physical dangers could include explosions, fires and fuel leaks. Financial risks would be likely to include lawsuits, fines and higher insurance premiums, along with loss of production. Even conservatively, an estimate of $300 million costs for a 100,000 bpd refinery seems conservative, based upon costs for refinery fires and explosions from non-cyber attack causes.

If so, even if the chances of a Stuxent-like attack were just a twentieth of the 3.6 percent risks of a ransomware attack (so 0.18 percent), this would add another $540,000 a year to the potential costs from cyber attacks: $1.053 million in total.

Perhaps the key question is whether increased investments in security can prevent this. Plainly, total security is unachievable – at least at any practical level of expense.

Experience equally shows us, however, that a cyber security program will significantly reduce risk if it covers all key areas: from backups, firewalls, patches and virus protection; through whitelisting, network inventories and dark device detection systems; to training and policies, security metrics and vulnerability monitoring.

Put all these in place properly and it’s reasonable to expect such a program to prevent at least 80 percent of attacks. Taking a loss figure of $1.053 million without prevention, we can therefore argue for annual savings from a robust cyber security program of $842,000 (80 percent of the total potential loss).

It’s clear this figure is built on a number of assumptions, and like all insurance loss estimates has a high level of uncertainty. But, when operating companies ask “what is the payback from a Cyber Security program?”, they need this analysis to justify and rank cyber security projects in comparison to other potential projects.  

These calculations are an estimate to bring the risks of attack and returns of cyber security alive for those making investment decisions. It enables them to relate the industry surveys and statistics to their business, and make intelligent decisions to protect them. Only when that happens will firms see the value of cyber security, and will the bigger picture for the industry begin to improve.

While the calculations and estimates presented in this article are based on examples for the oil refining industry, the methodologies used and calculation formats can be easily applied to other manufacturing industries. The data inputs to the estimates, for example average daily product production, price margin per unit and costs associated with a fire or explosion, are inputs that are usually easily available for most manufacturing industry sectors.

 

MORE ARTICLES

VIEW ALL

RELATED