SUCCESS STORY

Turning Cyber Risk Into a Board-Level KPI
A Renewable Energy IPP’s Cybersecurity Transformation

Introduction

As renewable energy becomes a cornerstone of modern power infrastructure, ensuring the security of the systems that manage wind and solar energy is no longer optional—it's essential. But how do you measure a threat you can't see? And how can you make smart investments in cybersecurity when the return on those investments is invisible? But for most executives and board members, industrial cybersecurity remains a black box—difficult to quantify, harder to act on, and nearly impossible to insure without facing rising premiums. 

This case study walks through how a North American Independent Power Producer (IPP), operating over 60 wind and solar energy facilities, transformed its approach to cybersecurity. By moving from a traditional defensive posture to a proactive, data-driven model, the company gained clear insight into its true cyber risk exposure—and used that insight to reduce financial losses, optimize cyber insurance, and prioritize investments where they mattered most. 

Business Context: Complex Operations and Growing Threats 

This IPP manages more than 6.0 gigawatts (GW) of electricity generation capacity, spread across a highly distributed fleet of wind and solar facilities. Although it had already deployed an Operational Technology (OT) Intrusion Detection System (IDS) and outsourced 24×7 monitoring to a Managed Security Services Provider (MSSP), leadership lacked clarity on some fundamental questions: 

  • “How much cyber risk do we actually have?” 
  • “Where should we invest to make the biggest impact?” 

These are common concerns for industrial organizations. The board wanted hard numbers—not estimates—and a roadmap grounded in actual risk, not just compliance checkboxes

Challenge: Quantifying the Invisible  

Despite visible investments in monitoring and detection systems, several key challenges persisted: 

  • Remote Access Risks: OT systems were increasingly being targeted through exposed service interfaces and remote access connections. 
  • Insurance Pressures: With multi-million dollar premiums on the line, internal risk managers required defensible and quantifiable picture of cyber risk exposure to better negotiate and transfer to their insurer. 
  • Uncertainty in Decision-Making: Without reliable risk metrics, it was difficult to evaluate which projects would have the greatest impact. 

In short, this IPP needed more than alerts and dashboards. It needed answers. 

Solution: Deploying the DeNexus DeRISK™ Platform 

To bridge the gap between visibility and action, the IPP deployed the DeNexus DeRISK™ cyber-risk quantification and management platform. 

Unlike traditional tools, DeRISK™ doesn’t monitor threats—it models how attacks might impact business operations. It integrates: 

  • Real-time telemetry from the existing cybersecurity tools and systems like Nozomi Guardian, ForeScout eyeInspect Claroty CTD, Dragos, Palo Alto and Fortinet firewalls. 
  • External threat intelligence covering adversary tactics, techniques, and known vulnerabilities relevant to the IPP’s operations and supply chain.
  • Portfolio-Wide Modeling: Quantifies risk across all sites and sub-portfolios.
  • What-If Analysis: Simulates the impact of proposed cybersecurity projects before investment.

This combination allowed the platform to simulate and forecast financial losses from cyber incidents at both the site level and across the entire portfolio. 

image (1)

What They Measured 

DeRISK™ focused on three key financial risk metrics: 

  • Annual Expected Loss (AEL): The statistically predicted average yearly financial loss due to cyber incidents. 
  • Value-at-Risk (VaR-95 and VaR-99): The worst-case scenario losses that might occur in 1-in-20 and 1-in-100 year events, respectively. 

Baseline findings: 

  • AEL = $7.6 million 
  • VaR-95 = $26.7 million 
  • VaR-99 = $58.7 million 

Key Financial Portfolio Metrics
These are the annual loss metrics based on the current risk of all facilities within the portfolio.

Metric Value ($) Value (in Days of Revenue)
Most Probable Loss $ 2,445,697 0.9
Expected Loss $7,658,420 2.8
Value at Risk (VaR) 95th Percentile $26,754,454 9.7
Value at Risk (VaR) 99th Percentile $58,789,485 21.3

These numbers provided the IPP with its first truly defensible, portfolio-wide snapshot of cyber risk. It also immediately established cyber risk as material to the business—on par with physical equipment failures or major supply-chain disruptions.

Key Insights: Understanding the Risk Landscape

The analysis uncovered several actionable insights:

  1. Business Interruption Drives Cost
  2. Solar Sites are Higher Risk
  3. Company-Managed vs. Vendor-Managed Site Risk
  4. “Crown Jewels” Are the Most Vulnerable
See below for details.

1. Business Interruption Drives Cost
The top contributor to expected annual loss was full and partial capacity loss (i.e., downtime and loss of productivity respectively) caused by a cyber-attack causing business disruption:

 Loss Category % of AEL  Estimated Loss 
 Loss of Productivity  59.6%  $4.53M 
 Downtime   29.3%  $2.22M 
 Equipment Damage  4.8%    $0.36M  
 Extortion (e.g., ransomware)  2.8%  $0.21M 
 Forensic Investigation  2.2%  $0.17M 

 2. Solar Sites Are Higher Risk
Although solar facilities made up roughly half of the IPP’s total sites, they accounted for ~80% of total cyber risk. This prompted a shift in focus to prioritize cybersecurity investments at solar facilities.

3. Company-Managed vs. Vendor-Managed Site Risk
Company-operated facilities accounted for 62% of the total site count—but contributed to 78% of portfolio risk . This discrepancy could be due to:

  • Lower security controls at company-managed sites
  • Greater uncertainty or under-reporting from vendor-managed sites

Action: Either improve in-house cybersecurity operations or increase scrutiny of vendor-managed facilities.

4. “Crown Jewels” Are the Most Vulnerable

Just 4 of the company’s facilities (producing 25% of company revenue) accounted for 48% of total cyber risk. This concentration of risk underscored the importance of tailored protection strategies.

Action: Prioritize cybersecurity upgrades at high-revenue, high-risk locations.

The Mitigation Roadmap: Measured and Modeled

Instead of spending blindly, the IPP used DeRISK™ to simulate how different cybersecurity initiatives would affect risk:

2025 Projects

  • Implement standalone Active Directory in the OT environment
  • Deploy Privileged Access Management (PAM) to improve remote access

Expected Risk Reduction:

  • 7.5% AEL (~$600K)

2026 Projects

  • Improve OT disaster recovery and backup processes
  • Harden endpoints and apply secure configurations

Expected Risk Reduction:

  • 10.7% AEL (~$830K)

Cumulative Impact (2025–2026)

  • 18.2% AEL = $1.4 million loss avoided annually
  • 24.2% VaR-95 = $6.5 million less risk for rare 1-in-20 year events
  • 16.4% VaR-99 = $31 million less in worst-case loss

Business Outcomes 

By the end of the assessment and planning phase, the company achieved several measurable wins:

  • $1.4M in annual expected losses avoided
  • $6.4M reduction in cyber-insurance limits needed, opening the door to premium discounts
  • Alignment between IT and OT teams, thanks to shared, data-backed metrics
  • Executive confidence, with risk appetite now grounded in real-world scenarios

DeRISK™ helped turn an abstract problem into a manageable and quantifiable KPI.

What Comes Next?

The company isn’t stopping here. Their roadmap includes:

  1. Executing the 2025 mitigation projects. Execute authentication upgrades across top-risk facilities.
  2. Negotiating better insurance terms using their new, lower risk profile and better insights.
  3. Continuously integrating live threat intelligence into DeRISK™ for up-to-date decision making.
  4. Extending risk modeling to new assets acquired through M&A.
  5. Annual reassessments to re-prioritize spending based on maturing controls.

 

Conclusion: From Guesswork to Governance

This case study shows how a large, distributed energy company took control of its cyber risk by focusing on what matters most—quantifying impact, prioritizing investment, and aligning security with business goals.

Where once the board had uncertainty, they now have clarity. Where the insurance team faced high premiums, they now hold leverage. Where the OT and IT teams operated in silos, they now speak the same risk language.

Cybersecurity, when measured and modeled properly, becomes more than defense. It becomes strategy.

With DeRISK™, this company didn’t just get a better cybersecurity program—they got a smarter business strategy.

If you want to learn more, get in touch with our team, or understand how the above is put to use to quantify and manage cyber risks at 250+ industrial sites monitored by DeNexus, you can contact us at https://www.denexus.io/contact.