Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space and member of the AMRAE, describes the development of a response methodology to create resilience against cyber risks.
SPICE stands for Scenario Planning to Identify Cyber Exposure, and it is an initiative sponsored by the CFO of Airbus Defense and Space. It is a pilot programme for a business impact analysis to identify cyber-related disaster scenarios that could affect our operational capability and it is truly innovative.
How to Get Started in Social Media for Art League City
Philippe Cotelle’s presentation on SPICE at AIRBUS, FERMA Forum 2015
1. Cyber risks,
a view from the industry
Philippe COTELLE
Head of Insurance Risk Management
2. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
A new industrial revolution
2
Where the aeronautic industry had been so a century ago…
… this is how we see this in the coming
decade :
3. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Cyber risks exposure
Internet : a tool allowing the sharing of
information between people in order to create an
open world
Difficulties to protect companies
and their datas from the outside.
4
4. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Reputation
What are the obstacles to a good
assessment of our cyber risks ?
5
Wrong perception
Confidentiality
5. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
SPICE initiative
(Scenario Planning to Identify Cyber Exposure)
6
A pilot program for Business impact analysis on
disaster scenarios affecting our operational
capabilities related to a cyber-event
Gathering representatives of all the functions as well
as IT and IM Security to overcome 3 hurdles :
• Explain to the operational people that we need
them
• Address the security issue with extreme care,
• Be prepared to openly discuss some potential
scenarios of exposure and do not assume that it
is impossible to hack a company like us
6. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Scenarios identification
7
Scenario identification
• Focus on disaster scenarios
• clear hypothesis
7. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Assessing financial costs
8
Assessing financial cost of each scenario
• Split scenarios in 4 different phases
• Simplify the list of impacted functions
• Compute over/under charge per scenario, per phase
10
46
88
22
Phase A
Phase B
Phase C
Phase D
10 46 88 22
…
Financial costs
Scenario x
Security Breach Crisis
Remediation
Investments
Vigilance
Security Breach
Detection
8. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Assessing financial costs
Lessons learned
9
NUMBERS are related to our financial exposure
There is no final number
The objective is to reach a consensus:
acceptable by everyone
valid for our analysis
9. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Evaluate probability of occurence
10
Quantify the technical probability of success of
a scenario to occur
• For each step of a given scenario, identify
technical ways to proceed
• Rate each step with a probability of occurrence
(using internal probability scale)
Assessment performed by the local Information
Management Security
APT Kill Chain
description used in the
technical threat scenario
10. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Evaluate probability of occurrence
Lessons learned
11
Same method but different numbers !?
2 different approaches:
• Need an homogeneous approach
• Associate to each scenario the type of hacker and their motives
If an attacker was effectively
considering seriously to hack
Airbus, then this must be a very
strong organisation which in itself
should have gathered all those
unique skills and resources.
Therefore their probabilities were
more important.
Given the defence systems in
place, in order to be successful
the attacker should gather so
many different skills and
resources that this was very
unlikely to be plausible.
As such the probabilities were
therefore very low.
11. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Next Steps
Provide a rationale for mitigation strategy
12
Insurance
Premium
cost is
efficient
Cost of
implementing IT
security
% of
Mitigation
IT Investment make sense to mitigate
the exposure
Justify the interest of the transfer to
insurance both for coverage and
premium budget
• IT investment to reduce the
probability of occurrence, until
the point of time when costs
are too high.
• At that point of time insurance
becomes complementary
(and not competitive) to IT
measures and is efficient from
a cost point of view
Risk identification Risk Assessment Risk Response
12. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Challenges
13
The process needs to be performed regularly and be as exhaustive as possible
• a strategy allowing to manage the roll out of this process across the entire organisation,
products and countries
• an efficient process manageable with the operational teams
13. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Challenges
14
The insurance market needs as well to face several challenges :
Conditions of dialog with the insurers
Problem of reputation in case of a claim
Claim settlement
14. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Conclusion
15
• Our mission to support technological development and to develop the
conditions of securing and mitigating the unavoidable risks that such
opportunities generate.
• Support from top management required down to every level of the
operations.
• The methodology is key to obtain valuable results
• Many challenges are still in front of us all, there is no One response
A key message from the Board towards external
stakeholders.
The question on the standard for cyber risk
assessment