1.0 Overview
This section provide an Overview of the technical approach used in the VSAT™ software and a summary description of the software interface and screen layout.
1.1 Introduction to the Security Vulnerability Self-Assessment
Approach
Today, our world faces challenges we never before envisioned. Events
that have shaken our level of comfort also have provided an opportunity to
focus on aspects of life that many have known to be important, but on
which few have taken the time to act. This is true for people, companies,
governments and organizations of all types, utilities included.
As the concern for protecting our nation’s infrastructure intensifies, it is certain that all utilities will be asked to reassess their ability to continue to provide safe and reliable services to their customers and communities as a whole, as well as not provide an unwitting conduit for potential damage to the community or certain facilities it serves.
The industry needs a structured, cost effective approach to assess its vulnerabilities and to establish a risk-based methodology for making necessary changes. Accordingly, AMSA has developed a cost-effective methodology and implementing software to help utilities evaluate their vulnerabilities and identify cost-effective changes.
The methodology developed is based on a qualitative risk assessment approach shown in Figure 1 below. It adopts a broad, two-dimensional approach to assess vulnerability, prepare for extreme events, respond should they occur, and restore normal business conditions thereafter.
The first dimension of this framework examines utility assets:
- Physical Plant
- People
- Knowledge Base
- Information Technology (IT Platform)
- Customers
The second dimension of the framework recognizes that there is a process over time that begins with the need for early assessment and planning activities, followed by downstream response actions as a result of an extreme event, and eventually, business recovery activities that occur post-event.
The Vulnerability Self Assessment Methodology, as manifested in the VSAT software, is described briefly in the following paragraphs, keyed to blocks in the flowchart that appears below (click for full image).
1.1.1 Asset Categorization and Identification
At this initial stage, utility managers conduct an early desktop
inventory of utility assets in each of the five asset categories. They
then assess whether and the extent to which a range of human and natural
events may pose significant threats. Appropriate circumstances include
baseline conditions in each of the five asset categories and quick
responses to issues raised in the Association of Metropolitan Sewerage
Agencies vulnerability checklist for wastewater utilities. This provides utility
managers a general sense of their system’s vulnerabilities.
1.1.2 Criticality
Each of the identified vulnerabilities is then assessed to
determine its “criticality,” or the potential adverse consequences of
failure should an event occur. Four levels are typically sufficient to
categorize criticality: low, moderate, high, and very high. The exact
definition of these levels will be location- and condition-specific for
each utility, and should be defined in that context.
1.1.3 Existing Countermeasures
After the criticality is determined, specific existing measures
that can be used to mitigate initial vulnerabilities are determined. If,
for example, IT hacking is considered a viable threat, existing
countermeasures such as firewalls, network monitoring, and other measures
can reduce the level of vulnerability.
1.1.4 Vulnerability Rating
Next, utility managers select a vulnerability rating based on the asset in
question, an appropriate range and probability of threats, and the extent
to which countermeasures are already in place. Vulnerability ratings are
somewhat subjective, from very high to low, but they should nonetheless be
defined in the context of local conditions.
1.1.5 Risk Level
Now that the two fundamental aspects of risk, consequence (criticality)
and probability, have been determined, each vulnerability is evaluated
using a two-dimensional matrix. The flowchart shows a four-by-four matrix,
but if after defining criticality and vulnerability in the context of
local conditions, either or both require a different number of rating
levels, the dimensions of the matrix should be changed accordingly.
1.1.6 Risk Acceptability
Each level of risk should be defined at this stage. In general, red
denotes relative unwillingness to accept risk, whereas green denotes
relative willingness to accept risk. In any case, definitions should
reflect local conditions, since they are used, in effect, to set
priorities for risk mitigation.
1.1.7 Identify and Estimate Cost of Risk Mitigation
Typically those vulnerabilities with the highest risks receive the highest
priority. Utility managers evaluate equipment, technology, structures,
procedures, training, communications activities, and the like, that if
enacted would effectively mitigate risks, through a reduction of
criticality and/or vulnerability. Where initial mitigation activities may
cost more than their benefits, managers may seek risk-reduction
alternatives in an iterative fashion until costs are acceptable.
1.1.8 Business Continuity Plan
Business continuity plans map out the “who, what, when, where, and how”
for all improvements needed to mitigate or manage known risks. Improvement
activities address the questions:
“What do we need to do to be prepared for human and natural
extreme events?”
“What do we need to do to respond to human or natural extreme events,
should they occur?”
“What do we need to do to restore utility operations to normal after
response actions are complete?”
Improvement activities will tie back to each of the five utility asset categories, including such actions as capital investments, organizational changes, process reforms, improvements in information management, and enhanced communications. Implementation will follow priorities set earlier in this process, with the highest priority vulnerabilities addressed first. Finally, business continuity plans should include a schedule for testing periodically.
VSAT™ is a tool that can help utilities identify potential vulnerabilities and evaluate the potential mitigation of those vulnerabilities, along with documentation of the decision process, rationale employed, and relative ranking of risks.