CSO

The practice of risk management and the use of risk assessments is being endorsed, required and supported by all critical infrastructure sectors.  Today's industry developed security guidelines, standards and legislation incorporate recommendations and requirements for developing accurate assessments of consequences, threats and vulnerabilities.  In some segments of the industry there has been a move toward practices that incorporate continuous assessments that are more timely and adaptive to changing risk variables.  It is time that we realistically examine how useful these tools are to help prioritize efforts, define needed investment and provide a basis for security operations.

Have you been able to use these tools over a three year period? How have they shaped your security investments?  We also want to discuss the elements of the risk equation and take a hard look at our ability to qualitatively or quantitatively score variables like threat (Risk = Threat x Vulnerabilities (1-Protective Measures) x Consequences).  The risk assessment process must generate accurate and useable threat information to assist security leaders in providing realistic estimates of likelihood's and building the necessary business case for improvements.  U.S. intelligence and law enforcement organizations have little experience providing regular threat information and analysis customized into a usable format to be used by industry.  How do you account for Threat with regard to your risk assessments and have you seen any improvement in your ability to derive this important value?       

Government and industry-led working groups are introducing multiple assessment processes in an attempt to meet the needs of diverse organizations responsible for a wide variety of assets and systems.  This is a viable solution, however, only if the process used clearly identifies resources and measures required to reduce unacceptable risk to critical facilities.  The assessment process must have the flexibility to gauge the likelihood and impact of potential attacks on facilities/assets.  For the electric industry these include nuclear, hydro and fossil fuel plants,  high voltage transmission facilities, fuel supplies, electronic control and communication systems and other infrastructure assets whose failure could debilitate the power grid.
 
In many cases, risk assessments have identified generation assets or high voltage equipment or substations that require facility hardening; the high security priority requires adding or reinforcing protective buildings and barriers, surveillance equipment, increased staffing, or other methods.  The greatest challenge in this arena is the sheer number of facilities that must be hardened and the costs of providing the additional physical protections.  The assessment does provide a process to drive priorities.

- Michael Assante