In the Operation Technology (OT) environment, which encompasses industrial, control and supervisory systems; Cybersecurity risk analysis is essential to identify vulnerabilities and threats, but…
What do we understand and what does risk management involve?
It is the process by which we identify, evaluate and based on this, we respond to identified risks in order to place them within a predefined tolerance environment. Cybersecurity is responsible for managing information security risks, and in the field of Industrial Cybersecurity, said cyber risk management has particularities to take into account when selecting a methodology.
Although this process is about identifying and analyzing threats, vulnerabilities and also how the former can exploit the latter to cause damage, the main focus in Industrial Cybersecurity is the potential impact and consequences that may occur. This leads us to define in a generic way, for any industry and size of company, the so-called risk receptors.
Basically, they are those susceptible to being damaged by a cyber attack and that can have a high impact and great consequences on business continuity. Taking into account that in the world of Operation Technology (OT) these consequences can affect the environment and people (unlike the IT world), the risk receptors that are never missing are the following:
• Reputation and Image
• Operation
• Financial economic
• People (affects to the health of employees and communities)
• Environment.
Cybersecurity must seek how to respond (countermeasures) to these risks, transferring them, mitigating them and bringing them within a range of the organization’s own risk tolerance. Furthermore, what industrial cybersecurity must protect in networks, systems and their components (both hardware and software) is the triad formed by confidentiality, integrity and, above all, the availability of the processes.
A fundamental concept to incorporate is that of having security by design: “Security by Design”. This tells us that cybersecurity must be part of the projects early, from their conception and design stage, in order to be able to design the risk within the process. Incorporate security from the design so that the risk is always within the tolerance defined by the organization. Clearly this not only avoids having to put in place countermeasures in the future, but also avoids greater costs in the future.
We even list everything necessary that must be within a methodology that helps us by giving us order and structure to measure risks, and then the response to them so that they are within the range of tolerance or “risk appetite” on the part of the organization.
Normally within each organization we have the so-called “heat matrix” or “risk tolerance matrix” which graphically shows us the company’s own risk tolerance. We must work on it to manage cyber risks.
Here we see an example, in which the risks (cells) are classified according to their probability of occurrence (frequency) and the consequence that it could entail. Normally the yellow (significant) zone is the one that marks the risk tolerance, so any risk that we measure (based on threats, vulnerability and impact, for the confidentiality, integrity and availability triad) must be in this zone or lower ( green or blue). It should be noted that the number of rows and columns is usually between 4 and 5 and is up to the criteria and methodology of the companies’ process risk analysis
What methodologies can I use?
There are several methodologies for cyber risk management, based on international standards and best practices, as well as methods to respond to risks (such as the 4Ts: Tolerate, Terminate, Transfer and Treat (mitigate)) and even techniques widely used in the military. to treat (or mitigate) risks, such as the 5Ds (Deter, Detect, Delay, Deny, Defend).
Below, we mention some of them, used to analyze cyber risks in OT environments:
NIST SP 800-30 Risk Analysis [1]:: Developed by the National Institute of Standards and Technology (NIST) of the United States, it provides a detailed approach to identify, evaluate and mitigate cybersecurity risks. It focuses on the evaluation of threats, vulnerabilities, impacts and the probability of occurrence. Although it was developed for IT environments, it can be used in OT environments.
OCTAVE Allegro (Operationally Critical Threat, Asset, and Vulnerability Evaluation) [2]:Method: Developed by the Software Engineering Institute (SEI) at Carnegie Mellon University, OCTAVE is a methodology specifically designed for critical environments and focuses on the identification of critical assets, threats and vulnerabilities.
[1] https://csrc.nist.gov/pubs/sp/800/30/r1/final
[2] https://insights.sei.cmu.edu/library/introducing-octave-allegro-improving-the-information-security-risk-assessment-process/
ISA/IEC 62443 [1]: International standard, developed by the International Society of Automation (ISA) together with the International Electrotechnical Commission (IEC). Provides a comprehensive framework for Industrial Cybersecurity. It focuses on Cybersecurity risk analysis, valid for industrial control systems in any type of industry.
NERC CIP[2]: (North American Electric Reliability Corporation Critical Infrastructure Protection Standards): Specific for the energy sector. Establishes requirements for the cybersecurity of critical infrastructure in North America. They include guidelines for the identification and evaluation of risks in industrial control systems and related to the supply chain.
These are just a few, but there are others belonging to the IT world that can also be adapted to the OT world, such as ISO27005 and the ISO31000 family. We can also see that there are vertical standards for certain industries, such as the NERC for the electrical industry, and other more generic ones for all types of industries and company sizes, such as IEC62443.
Which is the most suitable?
There is no more appropriate methodology over the others. The most important thing is to adapt them to the needs and characteristics of each organization, taking what is most appropriate in each case. Assembling an interdisciplinary team made up of cybersecurity professionals with experience in industrial environments, together with industrial process professionals, is key to carrying out effective risk analysis and, above all, to developing mitigation strategies with appropriate countermeasures.
In order to be able to take action quickly and gain maturity before facing the adoption of one of the aforementioned methodology, we can define and carry out a series of actions that will allow us to carry out a high-level Cyber risk analysis and be able to respond to the most serious risks. important by applying countermeasures in the short term.
Adapting and customizing these methodologies according to the specific needs and characteristics of each company is essential to achieve good and fast results. Taking the main points from the NIST Framework and IEC62443, we can define a quick guideline to carry out a first cyber risk assessment and respond to them effectively. Let’s look at a concrete example of this, adapting and combining elements of different methodologies to create a customized approach that best fits the particular needs of a given organization. The participation of industrial cybersecurity experts is very valuable to ensure a complete and accurate assessment of cyber risks.
Finally, let’s see what steps cannot be missing in a good methodological approach to analyzing industrial cyber risks. Let’s do a step by step using mainly the NIST CSF and the methodology proposed by IEC62443:
[1] https://gca.isa.org/blog/cybersecurity-risk-assessment-according-to-isa-iec-62443-3-2
[2] https://www.nerc.com/comm/RSTC_Reliability_Guidelines/Security_Guideline-Cyber_Security_Risk_Management_Lifecycle.pdf#search=cyber%20risk%20management%20guideline
Identification of Critical Assets: List and classify the industrial assets critical to the operation of the company, and describe the consequences that could arise if their confidentiality, integrity and availability were compromised.
Threat and Vulnerability Analysis: Evaluate potential threats and vulnerabilities associated with the assets identified above.
Cyber Risk Assessment: Calculate the risk for each identified threat by evaluating the probability of occurrence and potential impact.
Selection of Mitigation Measures: Identify and select mitigation measures to reduce risks to acceptable levels, that is, to within the organization’s tolerance level.
Implementation of Security Controls: Apply the security controls necessary to implement the mitigation measures selected above.
Continuous Monitoring and Surveillance: Establish a continuous monitoring and surveillance process to detect changes in the environment, be proactive against threats and vulnerabilities, and establish cybersecurity incident management.
Scheduled review: Review the consequences, threats, vulnerabilities and implemented countermeasures with certain frequency and document the changes.