Cyber-Insurance for Cyber-Physical Systems Carlos Barreto, - PowerPoint PPT Presentation

Cyber-Insurance for Cyber-Physical Systems Carlos Barreto, Carlos.BarretoSuarez@utdallas.edu Alvaro A. C´ ardenas, Alvaro.Cardenas@utdallas.edu Galina Schwartz, schwartz@eecs.berkeley.edu University of Texas at Dallas 2018 IEEE Conference on Control Technology and Applications

Security is a Cost Center ◮ “Customers wanted the latest systems. They wanted Windows. They wanted to hook up to the Internet. Systems with security flaws were going out the door, and customers gobbled them up. Whatever risks they saw were offset by anticipated benefits. Buyers were not about to wait for something that would be expensive, overly constrained, and obsolete even before it was delivered. Anyone who thought otherwise would miss out on the information technology revolution taking place.” Dorothy Denning ◮ “There are two things I am sure of after all these years: there is a growing societal need for high assurance software, and market forces are never going to provide it” Earl Boebert

How Much Should Firms Invest in Security? ◮ Even if you invest all you can in Security, System is not 100% Secure ◮ Risk Management: Identify risk and build controls to mitigate them “Making a strong business case for cybersecurity investments is complicated by the difficulty of quantifying risk in an environment of rapidly changing, unpredictable threats with consequences that are hard to demonstrate.” DoE Roadmap to Achieve Energy Delivery Systems Cybersecurity.

Differences between IT (Web Commerce, Banking) and CPS (Power Grid, IoT) IT CPS Attack’s Political (Hard to Monetize) Motivation Financial Frequency Rare High of attacks (some events aren’t public) Who Pays Industry Gov. & population Costs of Attacks Security Better Outdated

As a Result CPS are Vulnerable with Basic Security Gaffes It is difficult to deal with cyber risks on IT ◮ Unauthenticated remote connection to devices ◮ Unencrypted communications ◮ Hardcoded backdoor from manufacturer ◮ Hardcoded keys in devices ◮ Devices have several easily exploitable vulnerabilities (e.g., Project Basecamp from DigitalBond) ◮ Vendors not patching (mostly legacy devices)

In a Market Failure Gov. Should Get Involved 1. Critical infrastructures (e.g., power grid) are owned by private companies. 2. An attack to the power grid will cost more to society than to electric utilities. 3. Governments are responsible for Homeland Security (public good) and electric utilities are not (outside their budget/scope?) 4. Additional problem: It doesn’t matter if one utility sets an example because this is a weakest security game—Interdependencies (e.g., cascading failures) 5. Nations have much more to lose from an attack than utilities

First Attempt: Regulation 1. Cybersecurity Act (S.3414) and SECURE IT Act (CPS) never passed! 2. EO 13,636: Improving Critical Infrastructure Cybersecurity (we hosted 1 meeting at UTD). 3. NERC CIP ◮ Plant managers were removing black start capability in order to avoid paying for NERC CIP compliance ◮ Operators removing IP connectivity but leaving dial-up & Bluetooth ◮ “A giant exercise in avoidance” So if Regulation is not the answer, what can be?

How do we manage risks? Measure the risks and the attitudes toward risks ◮ Random variables capture uncertainties ◮ Utility functions capture people’s preferences (risk averse, neutral, seeking) Choose mechanisms to mitigate risks ◮ Reduce their impact: ◮ Prevent the events: ◮ Data backups ◮ Firewalls ◮ Do not store sensitive data ◮ Authentication ◮ Develop incident response plans ◮ SIEM ◮ Transfer the risk: ◮ Cyber-insurance

Gov. Mandated/Nurtured Cyber Insurance for CPS Cyber insurance Tool to manage risk that can incentive investments in security. Benefits of insurance ◮ Insurance companies need to assess the security posture of the firm. ◮ The premium measures the risk (high premium means the firm has bad security practices). ◮ Firms may invest in security to reduce the risk, and consequently, the premium (Elrich and Becker, 1974).

Cyber Insurance is not a New Concept, It has Existed for IT for Over a Decade

But the study of Cyber-Insurance for CPS is New, and More Challenging ◮ Lack of actuarial data (Stuxnet, Ukraine,.. very few attacks) ◮ A single event can reach catastrophic consequences (long tail risk) Current cyber Insurance policies limit their exposure to CPS-like events Exclusions ◮ Physical damage ◮ Acts of terrorism or war

Traditional risk management becomes ineffective with rare events Insurers can manage catastrophic risks through reinsurance ◮ Natural disasters Rare events with high impact (extreme events) can exceed the capacity of the (re)insurers. E.g. earthquakes can be uninsurable. We need to study ◮ How to model and measure the the risk of extreme events ◮ Mechanisms to manage these risks

What is Extreme Risk and How Can We Measure It? 0.0200 Distribution of losses 0.0175 Worst events that occur 0.0150 with probability 1 − α Probability of losses P ( X = x ) 0.0125 0.0100 Average of the worst events 0.0075 0.0050 0.0025 0.0000 E[X] VaR α TailVaR α Losses ( x ) Figure 1: Representation of three risk measures (expected value, VaR α , and TailVaR α with α = 0 . 9) of a r.v. X with a Fr´ echet distribution.

Results analogous to the central limit theorems indicate how to model extreme events We can approximate the distribution of i.i.d. extreme events with the extreme value distribution or the Pareto distribution. Fisher- The distribution of extreme events (if Tippet exists) converges to the extreme value Theorem distribution Pickands- Balkema-de The tail of a distribution converges to Haan the generalized Pareto distribution Theorem

Generalized Extreme Value (GEV) Distribution Let I 1 , I 2 , . . . with an unknown cdf G ( x ) = Pr[ I i ≤ x ], where I i might represent insurance claims. Let M n = max { I 1 , . . . , I n } i be the maximum among the n first observations. Furthermore, let us define the normalized maximum as M n − b n , where b n and a n a n determine the location and scale of the distribution. The Fisher-Tippett Theorem states that if the distribution of a normalized maximum converges, then the limit belongs to the family extreme value distributions H ξ , for some parameter ξ . That is, � M n − b n � Pr ≤ x = G max ( a n x + b n ) → H ξ ( x ) a n as n → ∞ .

The family of extreme value distributions is defined as � exp( − (1 + ξ x ) − 1 /ξ ) if ξ � = 0 , H ξ ( x ) = exp( − e − x ) if ξ = 0 , where ξ is the shape parameter of the distribution and x should satisfy 1 + ξ x > 0. The extreme value distributions can be classified in three subfamilies. 1. If ξ = 0, then H ξ belongs to the Gumbel family, which have medium tails. 2. If ξ > 0 then H ξ belongs to the Fr´ echet, which have heavy tails (power law). 3. If ξ < 0, then H ξ belongs to the Weibull family, which have a short tail with an upper limit.

Extreme events converge to the generalized extreme value distribution Extreme value distributions 0.05 Gumbel ( ξ = 0) Frechet ( ξ =1) Weibull ( ξ =-1) 0.04 0.03 Probability 0.02 0.01 0.00 0 25 50 75 100 125 150 175 200 x Figure 2: Examples of the families of extreme value distributions.

Model of Security Investments and Losses Expected utility of firms � Q α E [ U ( w 0 − C ( z ) − L ) | L ≤ Q α ] = U ( w 0 − C ( z ) − x ) dG ( x , ξ ( z )) 0 Social losses Expected losses not paid by the firms � ∞ E [ L | L > Q α ] = ( x − Q α ) dG ( x , ξ ( z )) Q α Parameters U (): Utility function C ( z ): Cost of protection w 0 : Initial wealth L : Random loss z ∈ [0 , 1]: Protection level Q α : Maximum loss contemplated

How Can we Incorporate Extreme Events to Model Cyber Insurance? Assumptions Losses Firm’s Actions ◮ Follow a Fr´ echet distribution ◮ Get insurance ◮ Protection reduces the tail: ◮ Invest in protection ξ ( z ) = 1 − z , where z ∈ [0 , 1]. Risk measure Value at Risk (VaR) ◮ α -VaR ignores large losses with low probability ◮ α represents the liability of a firm

Sanity Check: Model Captures Underinvestment In Security 0.55 90%VaR 95%VaR Expected Utility 0.50 0.45 0.40 0.0 0.2 0.4 0.6 0.8 1.0 Investment in Protection (z) (a) Expected utility of the firm with different risk measures. 10 3 90%VaR Expected Social Cost 95%VaR 10 2 10 1 10 0 0.0 0.2 0.4 0.6 0.8 1.0 Investment in Protection (z) (b) Expected social cost (losses not covered by the firm).

Under Fair Premiums, Firms Create a Moral Hazard 0.70 Expected utility without insurance 0.65 Expected utility with insurance Expected Utility 0.60 0.55 Assumptions 0.50 The insurer limits 0.45 0.40 its exposure to 0.0 0.2 0.4 0.6 0.8 1.0 Investment in Protection (z) extreme events (a) Limited liability (90%VaR). ◮ Max. coverage = Q α 0.70 Expected utility without insurance 0.65 Expected utility with insurance The insurer charges Expected Utility 0.60 an actuarial fair 0.55 0.50 premium 0.45 0.40 ◮ P ( z ) = 0.0 0.2 0.4 0.6 0.8 1.0 � Q α Investment in Protection (z) x dG ( x , ξ ( z )) 0 (b) Full liability (99 . 9%VaR).