Cyber-Insurance for Cyber-Physical Systems Carlos Barreto, - - PowerPoint PPT Presentation

Cyber-Insurance for Cyber-Physical Systems

Carlos Barreto, Carlos.BarretoSuarez@utdallas.edu Alvaro A. C´ ardenas, Alvaro.Cardenas@utdallas.edu Galina Schwartz, schwartz@eecs.berkeley.edu

University of Texas at Dallas

2018 IEEE Conference on Control Technology and Applications

Security is a Cost Center

◮ “Customers wanted the latest systems. They wanted

• Windows. They wanted to hook up to the Internet. Systems

with security flaws were going out the door, and customers gobbled them up. Whatever risks they saw were offset by anticipated benefits. Buyers were not about to wait for something that would be expensive, overly constrained, and

• bsolete even before it was delivered. Anyone who thought
• therwise would miss out on the information technology

revolution taking place.” Dorothy Denning

◮ “There are two things I am sure of after all these years: there

is a growing societal need for high assurance software, and market forces are never going to provide it” Earl Boebert

How Much Should Firms Invest in Security?

◮ Even if you invest all you can in Security, System is not 100%

Secure

◮ Risk Management: Identify risk and build controls to mitigate

them

“Making a strong business case for cybersecurity investments is complicated by the difficulty of quantifying risk in an environment of rapidly changing, unpredictable threats with consequences that are hard to demonstrate.” DoE Roadmap to Achieve Energy Delivery Systems Cybersecurity.

Differences between IT (Web Commerce, Banking) and CPS (Power Grid, IoT)

IT CPS Attack’s Motivation Financial Political (Hard to Monetize) Frequency

• f attacks

High Rare

(some events aren’t public)

Who Pays Costs of Attacks Industry

• Gov. & population

Security Better Outdated

As a Result CPS are Vulnerable with Basic Security Gaffes

It is difficult to deal with cyber risks on IT

◮ Unauthenticated remote connection to devices ◮ Unencrypted communications ◮ Hardcoded backdoor from manufacturer ◮ Hardcoded keys in devices ◮ Devices have several easily exploitable vulnerabilities (e.g.,

Project Basecamp from DigitalBond)

◮ Vendors not patching (mostly legacy devices)

In a Market Failure Gov. Should Get Involved

• 1. Critical infrastructures (e.g., power grid) are owned by private

companies.

• 2. An attack to the power grid will cost more to society than to

electric utilities.

• 3. Governments are responsible for Homeland Security (public

good) and electric utilities are not (outside their budget/scope?)

• 4. Additional problem: It doesn’t matter if one utility sets an

example because this is a weakest security game—Interdependencies (e.g., cascading failures)

• 5. Nations have much more to lose from an attack than utilities

First Attempt: Regulation

• 1. Cybersecurity Act (S.3414) and SECURE IT Act (CPS) never

passed!

• 2. EO 13,636: Improving Critical Infrastructure Cybersecurity

(we hosted 1 meeting at UTD).

• 3. NERC CIP

◮ Plant managers were removing black start capability in order

to avoid paying for NERC CIP compliance

◮ Operators removing IP connectivity but leaving dial-up &

Bluetooth

◮ “A giant exercise in avoidance”

So if Regulation is not the answer, what can be?

How do we manage risks?

Measure the risks and the attitudes toward risks

◮ Random variables capture uncertainties ◮ Utility functions capture people’s preferences (risk averse,

neutral, seeking)

Choose mechanisms to mitigate risks

◮ Prevent the events:

◮ Firewalls ◮ Authentication ◮ SIEM

◮ Reduce their impact:

◮ Data backups ◮ Do not store sensitive data ◮ Develop incident response plans

◮ Transfer the risk:

◮ Cyber-insurance

• Gov. Mandated/Nurtured Cyber Insurance for CPS

Cyber insurance

Tool to manage risk that can incentive investments in security.

Benefits of insurance

◮ Insurance companies need to assess the security posture of the

firm.

◮ The premium measures the risk (high premium means the firm

has bad security practices).

◮ Firms may invest in security to reduce the risk, and

consequently, the premium (Elrich and Becker, 1974).

Cyber Insurance is not a New Concept, It has Existed for IT for Over a Decade

But the study of Cyber-Insurance for CPS is New, and More Challenging

◮ Lack of actuarial data (Stuxnet, Ukraine,.. very few attacks) ◮ A single event can reach catastrophic consequences (long tail

risk) Current cyber Insurance policies limit their exposure to CPS-like events Exclusions

◮ Physical damage ◮ Acts of terrorism or war

Traditional risk management becomes ineffective with rare events

Insurers can manage catastrophic risks through reinsurance

◮ Natural disasters

Rare events with high impact (extreme events) can exceed the capacity of the (re)insurers. E.g. earthquakes can be uninsurable. We need to study

◮ How to model and measure the the risk of extreme events ◮ Mechanisms to manage these risks

What is Extreme Risk and How Can We Measure It?

E[X] VaRα TailVaRα Losses (x) 0.0000 0.0025 0.0050 0.0075 0.0100 0.0125 0.0150 0.0175 0.0200 Probability of losses P(X = x)

Worst events that occur with probability 1 − α Average of the worst events

Distribution of losses

Figure 1: Representation of three risk measures (expected value, VaRα, and TailVaRα with α = 0.9) of a r.v. X with a Fr´ echet distribution.

Results analogous to the central limit theorems indicate how to model extreme events

We can approximate the distribution of i.i.d. extreme events with the extreme value distribution or the Pareto distribution. Fisher- Tippet Theorem The distribution of extreme events (if exists) converges to the extreme value distribution Pickands- Balkema-de Haan Theorem The tail of a distribution converges to the generalized Pareto distribution

Generalized Extreme Value (GEV) Distribution

Let I1, I2, . . . with an unknown cdf G(x) = Pr[Ii ≤ x], where Ii might represent insurance claims. Let Mn = max

i

{I1, . . . , In} be the maximum among the n first observations. Furthermore, let us define the normalized maximum as Mn−bn

an

, where bn and an determine the location and scale of the distribution. The Fisher-Tippett Theorem states that if the distribution of a normalized maximum converges, then the limit belongs to the family extreme value distributions Hξ, for some parameter ξ. That is, Pr Mn − bn an ≤ x

• = Gmax(anx + bn) → Hξ(x)

as n → ∞.

The family of extreme value distributions is defined as Hξ(x) =

• exp(−(1 + ξx)−1/ξ)

if ξ = 0, exp(−e−x) if ξ = 0, where ξ is the shape parameter of the distribution and x should satisfy 1 + ξx > 0. The extreme value distributions can be classified in three subfamilies.

• 1. If ξ = 0, then Hξ belongs to the Gumbel family, which have

medium tails.

• 2. If ξ > 0 then Hξ belongs to the Fr´

echet, which have heavy tails (power law).

• 3. If ξ < 0, then Hξ belongs to the Weibull family, which have a

short tail with an upper limit.

Extreme events converge to the generalized extreme value distribution

25 50 75 100 125 150 175 200 x 0.00 0.01 0.02 0.03 0.04 0.05 Probability

Extreme value distributions

Gumbel (ξ = 0) Frechet (ξ=1) Weibull (ξ=-1)

Figure 2: Examples of the families of extreme value distributions.

Model of Security Investments and Losses

Expected utility of firms

E[U(w0 −C(z)−L)|L ≤ Qα] = Qα U(w0 −C(z)−x)dG(x, ξ(z))

Social losses

Expected losses not paid by the firms E[L|L > Qα] = ∞

Qα

(x − Qα)dG(x, ξ(z))

Parameters

U(): Utility function w0: Initial wealth z ∈ [0, 1]: Protection level C(z): Cost of protection L: Random loss Qα: Maximum loss contemplated

How Can we Incorporate Extreme Events to Model Cyber Insurance?

Assumptions Firm’s Actions

◮ Get insurance ◮ Invest in protection

Losses

◮ Follow a Fr´

echet distribution

◮ Protection reduces the tail:

ξ(z) = 1 − z, where z ∈ [0, 1].

Risk measure

Value at Risk (VaR)

◮ α-VaR ignores large losses with low probability ◮ α represents the liability of a firm

Sanity Check: Model Captures Underinvestment In Security

0.0 0.2 0.4 0.6 0.8 1.0 Investment in Protection (z) 0.40 0.45 0.50 0.55 Expected Utility 90%VaR 95%VaR

(a) Expected utility of the firm with different risk measures.

0.0 0.2 0.4 0.6 0.8 1.0 Investment in Protection (z) 100 101 102 103 Expected Social Cost 90%VaR 95%VaR

(b) Expected social cost (losses not covered by the firm).

Under Fair Premiums, Firms Create a Moral Hazard

Assumptions

The insurer limits its exposure to extreme events

◮ Max. coverage

= Qα The insurer charges an actuarial fair premium

◮ P(z) =

Qα x dG(x, ξ(z))

0.0 0.2 0.4 0.6 0.8 1.0 Investment in Protection (z) 0.40 0.45 0.50 0.55 0.60 0.65 0.70 Expected Utility Expected utility without insurance Expected utility with insurance

(a) Limited liability (90%VaR).

0.0 0.2 0.4 0.6 0.8 1.0 Investment in Protection (z) 0.40 0.45 0.50 0.55 0.60 0.65 0.70 Expected Utility Expected utility without insurance Expected utility with insurance

(b) Full liability (99.9%VaR).

Conclusions

◮ IT Security and CPS security are very different. ◮ CPS Cyber-Insurance is way more difficult to analyze then IT

Cyber-Insurance (less data, extreme events, black swan events).

◮ Preliminary model of CPS insurance with GEV. In future work

we will focus on the optimal design of premiums to improve investments in cyber-security (not fair premiums which are not realistic in practice and which actually create a moral hazard).

Thank You

Questions?