Cyber Vulnerability Assessment for Financial OT Cyber Risk

With an aggressive growth plan, the Director of cyber security needed to quickly assess risk across the fleet of existing assets so he could prioritize remediation investments.

The Challenge

The cybersecurity team needed a way to scale up their risk assessment process for a fast-growing fleet.

The organization wanted to standardize across existing frameworks, NIST CSF, Factor Analysis for Information Risk (FAIR), and OT-specific solutions to quantify the risk at those sites so they had a common risk framework to make decisions with input from the executive committee.

Traditional consulting firms and services were too expensive, did not scale, and required weeks of data exchanges between consultants and the cyber security team.

Outputs and reports from traditional consulting firms did not allow the renewable energy company to easily edit its plan; it was done through a customized one-off spreadsheet.

The Solution

DeRISK was deployed to a wind site in Texas to test the speed and accuracy of an automated OT cyber risk assessment and the delivered financial outputs in early 2022.

  • DeRISK collected inside data from a sensor on the site. The data collected included asset inventory, network topographies, and identified vulnerabilities.
  • Existing NIST CSF inputs were used to show the maturity of the site’s existing security controls, policies, and procedures in place.
  • Business information was collected from the customer's ERP system enabling DeRISK to run its cyber risk models and provide financial outputs.
  • Calculations were run on the inside data, business data, and the customer's OT supply chain outside-in data to build reports for the executive team.

The Results

The team quantified cyber risk, created a list of list of financially-justified risk mitigation strategies, and delivered executive cyber risk reports to the company's CEO, CFO, CIO, and other executives.

DeRISK was rapidly deployed at OT sites across the fleet to expedite the risk evaluation process

The DeRISK platform acted as a bridge between the cyber security and the executive leadership teams to show evidence-based incident probabilities, event loss amounts, risk reduction metrics, and expected ROIs.

The company went from a 12-week consulting engagement to a 3-week deployment to quantify risk. DeNexus saved the team 9 weeks and delivered evidence-based risk quantification data.

Because the business data used by the DeRisk platform came from the company's ERP system, the resulting executive reports and financial output were automatically credible. This eliminated the need to justify to the CFO the validity of the one-off spreadsheets and numerous manual manipulations used previously.

Value Created

Quickly Deployed Cyber Risk Assessments


Weeks saved per deployment


Dollars saved per assessment

0 M

Projected fleet savings

The multinational organization was able to plan a risk assessment for its entire fleet at considerable time and cost savings using the DeRISK platform instead of consultants or and additional FTEs.