I just finished reading the ISAGCA paper “Leveraging ISA-62443-3-2 for IACS Risk Assessment and Risk Related Strategies,” published May 2021.
It’s a great read on ISA62443 risk assessment. The first part is about the IEC 62443 -3-2, work flow and insights. The second part of the article, the “methodology“ chapter, is a great thought exercise in risk analysis regarding cyber security for industrial automation and cyber security for control systems.
Delving into high-level cybersecurity risk assessment, the paper discusses two main cyber risk methodologies: asset-based vulnerability and adversary-based vulnerability.
The paper defines vulnerability as “…flaws or weaknesses in a system’s design, implementation, operation or management providing an environment capable of being exploited in a manner that can compromise the system’s integrity or security, in turn causing harm”.
The same logic is then extended to the threat likelihood: “Likelihood, however, can be thought of as a combination of vulnerabilities and the likelihood that a threat agent or source has the requisite skills, resources, and motivation to exploit the potential vulnerabilities, or that vulnerabilities are unknowingly exploited by non-malicious human error.”
Asset-based cyber-risk assessment
This is one of the first building blocks in risk analysis and high level cybersecurity risk assessment. It is used by OT & IT IDSs for evaluating asset and protocol vulnerabilities and accordingly scoring risk.
Scanners work according to the same asset-based principal, although in some cases the model is less applicable to all layers in an ICS framework or environment. OT Safety PHA methodologies also use the same asset-based risk logic, i.e., “Document potential consequences if asset is compromised,” or “Select cyber node, e.g., a cyber asset.”
In fact, I was amazed at the asset-based-centric approach in ISO 12100 “Safety of Machinery”:
“The term “hazard” can be qualified in order to define its origin (for example, mechanical hazard, electrical hazard) or the nature of the potential harm (for example, electric shock hazard, cutting hazard, toxic hazard, fire hazard).
The hazard origin is inherent in the asset/component; it looks like the cyber origin of hazard is not fully addressed.
Cyber-adversary-based risk assessment
Adversary-based risk methodologies focus on the adversary and which attack techniques and tactics (ATT) your adversary uses. Some of your adversaries may use vulnerabilities in asset or protocols, faulty implementation/configuration, CVEs, etc.; yet others may NOT use a vulnerability in the attack at all.
The MITRE and the Lockheed Martin Kill Chain methodologies are examples of this school of thought.
The missing links
Both methodologies are essential for high-level cybersecurity risk assessment, but still need to be brought to the practical level. The missing link is conducting breach & attack simulations on a virtual digital image of the OT production network (a digital-image is basically a map of a network’s OT assets, connectivity, vulnerabilities, data-flow and topology).
Since actions such as scanning, querying controllers and installing agents pose an inherent risk, we should be very careful with active security actions inside the ICS production network. Even the presence of an active security entity in the network, which has access and privileges to monitor OT assets, poses a risk in itself.
By creating a digital image of the production system, including assets, vulnerabilities and topology, we are able to run full adversary ATT analyses and score (using machine learning) the rate of successes of each adversary on your OT network.
The simulation is data-driven; it’s not perfect. Some of the parameters are missing as we cannot perform active data collection in an ICS environment. However, by using variations of our base assumptions in the algorithm we are able to produce important insights, thus contributing to the decision-making process concerning threat likelihood and risk analysis. Information that cannot be obtained by means of passive monitoring can be added manually to the simulation, e.g. OS patch levels.
Radiflow’s approach to OT risk analysis
The Radiflow approach to OT risk analysis uses both the asset-based and adversary-based methodologies for risk analysis, while incorporating the IEC62443 framework/ISA62443 standard to address impact and threat likelihood, to calculate risk scores.
By adding the IEC 62443 framework to the risk analysis process, we are able to extend our simulations to produce mitigated risk scores, rather than merely unmitigated scores offered by other security controllers.
The Radiflow CIARA OT virtual simulator prioritizes the most effective mitigation controls for your network, as we have the needed data on topology, vulnerabilities and attack vectors used by your adversaries. The platform can be used to understand safety hazards that originate from the cyber vector in the production environment and contribute to your PHA process.
The CIARA platform is designated as a high-level cyber security risk assessment and OT cyber risk decision support tool for planning your OT security strategy, prioritizing your security control procurement and helping your SOC with contextual information on the risk of your OT environment.
We invite you to request a demo of the Radiflow platform and learn how Radiflow can improve your overall OT-security and lower your risk of cyberattack while optimizing your cybersecurity ROI.