There are three general strategies for dealing with risk:
- Accept the risk - choose to accept the risk, and budget for the consequences that are likely to flow from that decision
- Avoid the risk - choose not to undertake the risky activity
- Reduce the risk - design controls to reduce the likelihood or the impact of the risk.
As you assess risk, a useful tool is a Design Basis Threat (DBT) which describes the threats that an asset should be protected from. Often used in the nuclear power industry, a DBT is typically a description of the motivation, intentions and capabilities of potential adversaries. A DBT is derived from credible intelligence information and other classified and non-classified data concerning realistic threats.
A DBT for the electricity sector has recently been completed by the NERC Electricity Information Sharing and Analysis Center's (E-ISAC) Physical Security Advisory Group, with the assistance of the US Department of Energy. It is available on the E-ISAC member web portal and NERC members are encouraged to consult the DBT as part of their security planning process. It is not intended to cover all facility-specific threats that may need to be considered, but it does provide a starting point for threats rooted in past attack examples in North America.
A threat and vulnerability assessment done by professionals and a DBT are simply tools designed to help you determine security gaps, assess the importance of fixing those gaps, and identifying mitigation measures. The outputs of using these tools will directly feed your physical security plan. Your risk assessment results should arm you with the information required to make sound decisions based on real risks to an organization's assets and operations.
Sign up for Computerworld eNewsletters.