How much does a security control reduce cyber risk? What control or mix of controls provides the most efficient cyber risk reduction? Tough questions that a team of researchers at INL and Sandia tried to answer in a project.

Two of the researchers, Jay Johnson of Sandia and Jake Gentle of INL, join Dale on the show to talk about the metrics and results. The project was Cyber Resilience for Wind Installations, but the metrics and results are applicable to every sector. We get into the weeds on this episode and discuss:

• how they created the test environment
• the two attack scenarios (and why only two and how easy it would be to expand)
• the physical resilience score
• the cyber resilience score
• the results from four different mixes of security controls
• areas for further testing and improvement
• and a tiny bit about trying to calculate an Expected Benefit from Cybersecurity Investment, which is a bit like ROI and how much money to spend.

Links

• Video: https://www.youtube.com/watch?v=bBLbLUFKzIc

• IEEE Access Journal Paper: https://ieeexplore.ieee.org/document/10043706

• POWER magazine article: https://www.powermag.com/cyber-resilience-for-wind-power-installations/

• 2-page flyer: https://www.researchgate.net/publication/367074443_Cyber_Resilience_for_Wind_Installations_A_Cyber_Resilient_Reference_Architecture

• Final project report: https://www.researchgate.net/publication/368599508_Hardening_Wind_Energy_Systems_from_Cyber_Threats-Final_Project_Report