Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

Posts tagged BT Security

Tuesday, August 17, 2010

Reputation Damage – The Key to Assessing Business Threats

By Malcolm Stokes, Head of Operational Risk, BT Operate

When assessing threats to business, how can we tell whether security and resilience are good enough?  The answer depends largely on how we value reputation; however, there’s no recognized method for measuring damage to an organization’s reputation.  BT Security is piloting an approach that aims to solve this problem.

Business success, or survival in a crisis, depends ultimately on reputation.  If the expectations of customers, employees, suppliers, regulators, and/or investors are not met, reputation is damaged and the bottom line suffers.  Safeguarding reputation means continuing to meet expectations of security, reliability, product or service quality, value for money, and integrity.  Risk to any of these characteristics can be a threat to reputation, to market share, costs and profitability.  

If expectations are not met, customers will buy elsewhere, employees leave, suppliers are reluctant to offer best terms, regulators impose greater scrutiny, and investors may raise the cost of capital.  Any combination of these responses will tend to reduce revenues, raise costs and erode profits.

Nearly all business risks have the potential to damage reputation in some way, which is why the phrase — “damage to reputation” — arises so frequently as a possible consequence.  Often this intangible part of consequences is said to exceed the tangible losses that may arise from an incident.  However, without a consistent way to evaluate reputation damage potential, we may distort our analysis of risks and draw false conclusions.

Market surveys that ask which risks concern managers the most tend to find “reputation risk” at the top of the list, simply because almost all risks are potentially risks to reputation.  Look at any risk register and ask yourself if reputation can ultimately be affected.  Study a few well-known business failures (e.g., Ratners, Perrier, Pan-Am, Barings Bank, Enron, Anderson, Jarvis, and potentially BP) and consider the role played by reputation damage.

The proposed scheme for measuring reputation damage uses a set of 10 estimated cost components that together represent the overall cost to a company of suffering and repairing a damaged reputation.  Not all of these cost components will apply in every case:

  • Advertising and communication costs to restore trust
  • Reactive expenditure to prevent recurrence 
  • Cost of de-mergers and re-branding
  • Value of lost business contracts that are terminated
  • Cost of acquiring customers to offset increased churn
  • Opportunity cost of new business prospects and partnerships lost
  • Increased cost of capital due to lower credit rating
  • Cost of delayed product launches and smaller market share
  • Cost of replacing executives and managers who resign
  • Cost of replacing skilled employees who leave

The process of estimating what reputation damage might cost avoids the pitfalls of trying to value reputation or brands before and after an incident in order to assess the damage in terms of value difference.  A series of pilot studies are in progress to demonstrate how risk management and threat assessment can be more effective if reputation takes center stage in the process.

I’ll report back on what we find from the pilot studies.  But, in the meantime, join the dicussion and let us know what costs your company associates with risk.

Tuesday, June 29, 2010

BP Oil Spill Wakes Up Country to Need for Stronger SCADA Controls

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

BP – a company name that’s on the minds of most Americans today and probably not in a good way.  The crisis we face today with the major oil spill is catastrophic and a direct result of time and cost pressures brought about in response to our increasing demand for energy.

BP is in the news today, but if demand growth for oil continues at this rate and supplies continue to dwindle, the oil spill we face today may seem small in comparison to future accidents.

With the industry trying to keep up with demand, network operations have been centralized, requiring distant controls to be managed over a wide variety of networking technologies, with all the attendant gateways such a model implies. 

While this approach can reduce costs and improve efficiency, it can also open the door to attacks by hackers and cyber terrorists.  This is a very real threat faced by oil and gas companies today.  Researchers have directly warned oil companies across the globe that offshore rigs are highly vulnerable to attacks.  In fact just last year, a contractor in California was charged in federal court for hacking into a digital network in an attempt to disable an offshore rig, after allegedly being angry about not being hired as a full-time employee.  The attack – against a SCADA control system – was illustrative of the types of threats which, if successful, could have grave consequences.  Legacy thinking and a frequent lack of third-party testing and review all combine to create a classic system of unexpected complexity.  These are the most likely to suffer compromise, whether malicious or accidental, resulting in catastrophic outcomes.

A multi-layered approach is critical to securing SCADA networks.  Each of the following layers plays a role in securing mission-critical, real-time control systems:

  • Perimeter Controls (Internet or Corporate Perimeter Defense)
  • People, Policies, Procedures (Business Continuity, Disaster Recovery)
  • Network Architecture (Firewalls, Routers, Switches)
  • Network Operating Systems (Domain Security, Active Directory, etc.)
  • Host Security (Operating systems of servers and workstations)
  • Application Security (SCADA, EMS, Database, Web, and more)
  • Unique Secure Requirements for what is being protected (Plant equipment, RTUs, PLCs, etc.)

Each layer requires ongoing testing and evaluation to determine the vulnerabilities that exist in these systems.  Oil and gas companies must consider a holistic approach to their security to avoid a potential cyber attack.  This approach includes:

  • Building a road map for security and regulation compliance – what systems are in place and how are they integrated?
  • Assessing vulnerabilities – identify and understand current vulnerabilities in  the security of physical, IT and SCADA controls
  • Penetration testing – the only way to know if a hacker can get into your network or facility is to actually test the vulnerabilities found with an assessment
  • Developing an emergency response and disaster recovery plan – as we have seen with BP, there is a need to have a plan for the unexpected.  Having a such a plan allows an organization to quickly recover and restore critical operational functions after an unexpected event
  • Gathering evidence – when critical assets come under attack, quick action is required to gather digital evidence and then use the evidence to prosecute

While this “to do” list for full SCADA security may seem overwhelming, engaging with a professional services organization that can assist in the execution and delivery of these steps — particularly penetration testing and BCDR plan development — can radically simplify the task list.  Learn more about how BT helps companies secure their critical infrastructure.

subscribe - log in