SUCCESS STORY

Solar PV

Understand the cyber security posture in more depth for one operating solar project in Australia.

The Challenge

Understand their cyber security posture in more depth for one operating solar project

The Operational Technology (OT) cyber landscape is undergoing radical change, putting operators of critical infrastructure in constant financial uncertainty about their risk of cyber loss. 2019 witnessed a 2,000% year-over-year increase in industrial control system cyberattacks, with the average cost of an industrial cyber breach stacking up at $13.0m vs $11.7m in 2017.

One of these critical infrastructures that is directly affected by the increase in cyber risk is the Renewable Energy sector. Our customer operates solar PV generation facilities, and deployed DeRISK in one of them located in Australia, to better understand its exposure to cyber risks.

The Solution

Provide a detailed risk assessment explaining their top cyber security risks

The DeRISKTM platform was able to provide the client a detailed risk assessment explaining their top cyber security risks for their solar facility, broken down by source initial access vector and consequence type.

SolarWorkers-withAccent-2

The Results

DeRISK was able to provide the client a detailed risk assessment explaining their overall cyber exposure and top risk components, finding that the project ranks in the top quartile of its industry peers on cyber maturity. The top source of probable loss is remote services, and thus the area where further protection measures should be prioritized.

Results show that there are inexpensive and cost-effective measures to reduce this risk

Currently the cyber risk is well spread amongst different attack vectors, and thus it is more effective for further protection measures to be focused in stopping more advanced steps of the attack, such as privilege escalation. Results show that there are inexpensive and cost-effective measures to reduce this risk, such as reproducing the password protection policies that the customer has implemented on the IT side on the OT network as well.

With these results from DeRISK, the client is aware of their cyber security posture and is able to prioritize their risk mitigation based on ROI, Risk Reduction, Upfront Cost, Yearly Cost, Payback Period, or NPV.

Expected Loss Details

Initial Access Vector (IAV) & Expected Loss by Type

0

Remote services

0

Spear phishing

0

Site downtime

0

Reputational damage


Expected Losses vs Peers

0

Expected loss probability

0

Compared to industry average

Because of the nature of the customer’s operations as a renewable energy producer, an overwhelming majority of total risk comes from these top two cyber event types: (1) equipment damage and (2) business disruption/downtime makes up 93.7%.