The biggest risk is the one you don’t know you’re facing.
A risk assessment informs you as to:
- your organization’s weak points
- the consequences of manipulation of those weak points
- the ways to prevent such events from occurring
A thorough ISC security risk assessment empowers you to make informed decisions about how to protect your facilities and how to prioritize the actions you decide to take.
What constitutes a thorough ICS risk assessment? Francia, Thornton and Dawson lay out the seven steps that constitute any serious ICS risk assessment:
- Understanding of the organization, its people and assets at risk
- Specifying risks and vulnerabilities
- Establishing the probability of risks and frequency of events
- Determining impacts
- Developing mitigation
- Considering the options
- Performing cost and benefit analysis
Let’s go through them one by one.
Understanding of the organization, its people and assets at risk
Step one is understanding what, exactly, you are assessing. Creating a detailed picture of the organization, its staff and its assets – and how each piece is linked to every other piece – is the critical first stage of an ICS risk assessment.
Creating a risk assessment map is done through collecting and reviewing all relevant documentation, such as network architecture plans, human resources information and past assessments. Initial interviews with facility managers may also be helpful to understand the operations structure.
Specifying risks and vulnerabilities
Now that you’ve created a risk assessment map, it’s time to identify the weak links. How can things go wrong? Where can they go wrong?
ICS vulnerabilities fall into different categories, including:
- policy and procedure vulnerabilities (such as lack of personnel training and awareness)
- platform vulnerabilities (such as delayed patching and lack of configuration)
- network vulnerabilities (such as weak encryption and lack of redundant hardware)
Not all vulnerabilities are obvious or published. Unnecessary user accounts are a seemingly benign, but potentially exploitable ICS vulnerability.
Unaddressed vulnerabilities expose the organization to threats stemming from human error, technical glitches and intentional attacks by bad actors.
ICS and OT threat frameworks have lagged behind IT in their development. Fortunately, though, over the past 10 years, ICS-specific attacker threat matrices and frameworks have been developed, one of the most helpful being MITRE’S ATT&CK for ICS.
(It’s worth noting that their ATT&CK for ICS framework is in a collaborative wiki, while the rest of their ATTA&CK framework is in a permanent format on MITRE’S site. This shows that MITRE, as well as other producers of threat intelligence data, have been late to the game when it comes to ICS and OT security.)
The ATT&CK for ICS framework lists tactics and techniques that attackers of ICS systems are known to use. Even more helpful for ICS security risk assessments, it classifies common ICS assets (such as field controllers or data historians) and identifies the attack techniques that apply to each asset.
Having these threats in mind gives you a concrete, eye-opening focus when performing physical inspections of the facility, reviewing asset configurations, observing operations, interviewing employees, analyzing application and patching protocols, and performing port scans and penetration testing. ATT&CK for ICS is an invaluable framework when evaluating your assets and their risk potential.
Establishing the probability of risks and frequency of events
Once you’ve identified all the vulnerabilities and potential ICS cyber security threats, it’s time to calculate how likely it is for a given threat to materialize. This is no simple feat, considering the number of interdependencies in ICS and SCADA systems.
There are multiple risk assessment methods one can use, such as Hierarchical Holographic Modeling (HHM), Risk Filtering, Ranking and Management (RFRM), Event Tree Analysis (ETA), Fault-Tree Analysis (FTA) and Failure Mode and Effects Analysis (FMEA).
The goal of the ICS and SCADA security risk assessment is to quantitatively determine the probability of an attack, the impact of the attack, and the reduction in risk associated with a particular countermeasure.
What types of losses would these occurrences inflict - and on what scale?
Types of consequences include:
- Harm to human life
- Monetary loss
- Reputational damage
The impact will necessarily be based on the mission criticality of any system or system component under consideration.
The risk assessment methods mentioned above help bring the different quantitative factors together to come to practical conclusions about what would happen were a threat to manifest.
Drafting a mitigation plan
After investigating which forces or entities could damage the ICS and the extent of damage they could cause, it’s time to look into how this damage could be prevented.
Some mitigation strategies require changes or additions to your ICS, such as adding new layers of controls or firewall protection.
Others involve taking advantage of the mitigation potential that is already built in to your systems, such as properly configuring your hardware for rigorous network segmentation and protection, application whitelisting and tightening of user access control.
Still others consist of applied awareness and alertness, such as detailed device inventory and change monitoring, or staying on top of patching third-party applications like Adobe and Java.
Mitigation also covers minimizing damage that cannot be (or was not) prevented. Having a tested process for incident detection, response and recovery is an important part of ICS risk mitigation.
Considering the options
Since there’s almost always more than one potential approach to mitigation, different combination of factors can – and should – be considered.
To what extent can you segment your network? Or minimize user access?
The more open and connected the network is, the more other means of mitigation will need to come in to compensate: firewalls, change monitoring or automated detection and response with local control.
Performing a cost-benefit analysis
This is where you put all the information you’ve gathered in your ICS risk assessment and apply it in practice.
For each given asset:
- what threats does it face?
- what are its underlying vulnerabilities?
- how likely is a compromise?
- what is the potential impact of a compromise?
- what are potential mitigations?
- what is the cost of implementing a given mitigation?
- how much would a given mitigation reduce risk by?
The cost-benefit analysis is an intense, inseparable part of the risk assessment. It’s not enough to know what the issues are or what you could do about them; you need clear direction on what practical measures to implement going forward.
Knowledge is power
A thorough ICS risk assessment is your ally in implementing effective ICS security solutions, protecting your OT assets and making sure your facilities can function smoothly and interrupted.
Radiflow has developed a complete suite of products to provide the highly accurate risk assessment and ICS security. Radiflow’s CIARA automated risk analysis platform, in conjunction with Radiflow’s iSID industrial threat detection solution, creates a virtual map (digital image) of the entire IT/OT network, including all assets, protocols, connections and IT systems. This virtual map can then be used for non-invasive breach attack simulations (BAS) in order to gain a clear understanding of the network’s security status. The results of the simulation are then translated into prioritized guidelines for any changes or updates to the organizations OT security system.
Finally, the risk-analysis process is repeated regularly, taking into account any new threats as well as any changes to your system, ensuring that your security measures are always up-to-date.
Radiflow has been recognized by Gartner as representative vendor in both the OT network monitoring and visibility and the cyber-physical systems (CPS) risk-management categories.
For more information about Radiflow’s ICS risk management solutions, contact us today to schedule a demo or to book a discovery call.