Rick Holmes, assistant VP and CISO at Union Pacific Railroad, detailed at InfoSec World 2020 how the transportation giant incorporates cybersecurity risk into its larger enterprise risk management process in order to help senior executives estimate losses caused by potential cyber incidents and make better decisions on where to invest in defenses.
“We think that we’ve gotten there – that we can say over time how well we’re managing risk to the enterprise,” said Holmes.
Headquartered in Ohama, Nebraska, Union Pacific runs freight trains across 23 states spanning the western two-thirds of the United States. Its approximately 7,700 locomotives chug along roughly 32,200 miles of tracks, serving around 10,000 customers.
Union Pacific’s cyber risk framework is based primarily on the concept of preserving the availability of 26 key businesses processes that keep the business running and trains safely operating on schedule. These include dispatching trains, processing customer orders and procuring supplies. These processes are, in turn, supported by 36 critical applications and over 200 supporting infrastructure items.
“We really do monitor these environments very, very closely and have quite a bit of data historically about… the impact of different types of outages. And that informs our understanding of what the impact might be for different types of cyber breaches,” said Holmes.
UP assesses and analyzes risk from four different perspectives – those of an insurance company or actuarial expert, a compliance auditor, a legal advisor and the mind of an attacker. Key to the process, however, is the risk probability modeling that the cyber risk assessment team developed in order to statistically convey to upper management the likelihood of a cyber event occurring and the calculable monetary loss that would result.
For this, UP recruited management consultant and author Douglas Hubbard, who helped devise a framework that analyzed and categorized UP’s computing environment into various asset classes.
“There’s essentially 40 different kinds of computers on our network, over 100,000 devices, and they each have different attributes about them, in terms of what operating systems they run, how often they’re patched, whether they’re remotely accessible, etc., and with those attributes we can calculate how resilient an asset is,” said Holmes.
“So we use those resilience scores to… calculate the likelihood of something failing,” Holmes continued. “We then brought in experts from the finance department to help us calculate the estimated losses in terms of how much revenue would be lost or the cost of wages or labor, and so forth, if we were to have an event. Those are the impact calculations.”
This effort required the entire cyber risk project team to undergo a training program to improve the accuracy of their assessments after testing determined that the members were, by and large, “overconfident in our ability to estimate risk,” said Holmes. Once the training was complete, however, members “were able to estimate the likelihood of something happening at same rate as a bookie would in Las Vegas,” said Holmes.
Identifying the company’s most business-critical processes and estimating the probability of failure are actually step two and three of what Holmes laid out as an eight-step risk probability model process.
For step one, UP’s cyber risk assessment team evaluated past internal events, as well as external data from prominent sources such as data breach research reports, to get a better sense of various cyber incident rates. The team then applied those findings toward UP’s self-identified business-critical processes, applications and security objectives, and then employed the aforementioned asset classification processes to calculate out risk probability based on asset resiliency.
Next, the company established a risk tolerance curve by asking senior executives a series of questions, such as if they would accept a 50 percent chance of losing $10 million in a given year. Then, using Monte Carlo simulations, the company would calculate the potential losses of various risk scenarios, allowing UP to create an inherent risk curve.
“Then, simply, you compare your risk curve to your tolerance curve, and that dictates whether you need additional investments to try and mitigate those risks, and we use that to assess alternative paths of action,” said Holmes.
Holmes also said that the MITRE ATT&CK framework and the Center for Internet Security (CIS) Controls framework can both be applied to UP’s predictive risk models to help the organization ascertain the most effective mitigations strategies and determine which security controls have the best value proposition.