Utilities

Company size : 1300

We developed a unique, desktop, scenario-based assessment in collaboration with the insurance industry to measure cyber security capability effectiveness and quantify impact to provide value to both client and insurer.

The assessment approach is underpinned with principles from NIST, IEC62443 and the MITRE ATT&CK.

A key insurer requirement was to obtain results at speed. This enables the insurer to quickly cut through to what matters: is the client’s cyber security capability effective at stopping a scenario-based attack; and what would be the expected losses resulting from a successful attack?

Therefore, we designed an approach that can be completed in a few days, resulting in a single-page report. The assessment methodology was originally developed to assess cyber/physical operations and Operational Technology environments but is used equally as well in traditional IT environments.

The assessment is not designed to replace a comprehensive assessment used to typically shape security programs. It is used more to aid equity-backed investment decisions, mergers and acquisitions, due diligence and insurance risk calculation.

Client requirement:

Opliciti was tasked with conducting the scenario-based capability effectiveness assessment of a European client’s Operational Technology environment; specifically, a telemetry system. The water utility company had wanted to understand both its current capability maturity and the likely success of its inflight security improvement program.

Client requirement:

Opliciti was tasked with conducting the scenario-based capability effectiveness assessment of a European client’s Operational Technology environment; specifically, a telemetry system. The water utility company had wanted to understand both its current capability maturity and the likely success of its inflight security improvement program.

Opliciti deliverables and value:

Our work included architecture review and qualitative and quantitative analysis to deliver a likely financial impact cost, resulting from a scenario-based attack.

The approach covered the following assessment areas:

  • Risk from an IT/OT scenario-based attack;
  • Likely impact and cost resulting from a single incident;
  • Current capability maturity (People/Process and technology);
  • Likely success of transformation including future capability maturity.

The final report was made available to both client and OT cyber insurers.

Summary

The approach and report were well received by the client. This work led to talks with a leading Lloyds of London underwriter regarding the assessment methodology within a cyber insurance product.