ICS Cyber Security Risk Assessment

An ICS cyber risk assessment is an analysis of the potential threats to the industrial technology of your organization, along with how those threats could be mitigated. The desired outcome of an ICS risk assessment is an actionable ICS cyber security plan, with action items prioritized by their impact on your ICS security.

Why is ICS risk assessment an important part of securing a facility?

Gone are the days when securing an operational facility meant installing a 24-hour security guard at the door. The isolation of industrial control systems has given way to the IIoT (Industrial Internet of Things) and other open, networked systems. While this connectedness has the potential to increase efficiency and productivity, it also has the potential to increase threats to your industrial control systems. No longer does a malicious actor need to be physically present in your facility to do damage; they can do so from thousands of miles away by using cyber attack vectors.

In order to secure an industrial facility in today’s networked world, you need to be keenly and completely aware of the ICS technology that drives your facility and the threats facing it. If you don’t know about it, you can’t secure it. And if you don’t know enough about it, you can’t secure it effectively.

A thorough ISC security risk assessment gives you awareness of your organization’s weak points, the consequences of manipulation of those weak points, and the ways to prevent such events from occurring. It empowers you to make informed decisions about how to protect your facilities, and how to prioritize the actions you decide to take.

What’s included in an ICS cybersecurity risk assessment?

A rigorous ICS cybersecurity risk assessment will include seven key components:

1. Understanding of the organization, its people and assets at risk – collection and review of relevant documentation and interviews with key personnel leads to construction of a detailed map of the organization’s physical and human resources, and how each piece connects with the other pieces.
2. Specifying risks and vulnerabilities – identification of the potential weaknesses of every physical and human resource: what can be exploited, and to what ends? Vulnerabilities can exist in the domains of policies, personnel, platforms and networks. Using a ICS threat framework like MITRE’S ATT&CK for ICS framework can be exceptionally helpful in identifying all relevant threats for any given resource.
3. Establishing the probability of risks and frequency of events – a statistical analysis of how likely any potential threat is to materialize, and how often. Calculating these probabilities is complicated for industrial control systems because of the number of interdependencies. An ICS risk assessment tool may use any one of a number of risk assessment models, including Event Tree Analysis (ETA), Fault-Tree Analysis (FTA) or Failure Mode and Effects Analysis (FMEA).
4. Determining impacts – calculation of the likely extent of the damage that would be caused should any given threat materialize. Potential areas of damage to consider are monetary damage, reputational damage and negative impact on human or animal life and health. The extent of the damage will depend on how critical and far-reaching the facility’s production is.
5. Developing mitigation – an evaluation of how damage could be prevented for any given threat. Means of mitigation include taking advantage of the security hardening potential already present in your ICS, adding new security components to your ICS and being on top of system changes and security patches for software and hardware. Mitigation also includes detection and response capabilities, as well as backup and disaster recovery plans.
6. Considering the options – mapping out the different combinations of mitigation approaches available for any given system and/or threat. Often there are significantly different mitigation means available for the same givens: minimizing access vs. maintaining more open access but adding more external protection, for example.
7. Performing cost and benefit analysis – putting all the above information together to create an ordered, prioritized plan of action as to the security value it will give to your facility.