Security risk is a function of the likelihood of a given threat-source, exercising a vulnerability, and the resulting impact of that event on the organization. This may be expressed as:
Security Risk = (Threats x Vulnerabilities) x Impact
An effective ICS cybersecurity risk assessment must address the combination of threats, vulnerabilities, and impacts. Possible threats to a control system include malware, infected USBs, contractors with infected laptops, rogue wireless connections, ransomware, human error, and more. Vulnerabilities include a lack of policies and procedures, outdated operating systems, weak access controls, unsegmented or misconfigured networks, software bugs, outdated antivirus software, unpatched systems, poor backups, shared credentials, and more. When threats exploit vulnerabilities, there can be severe and negative impacts to health and safety, the environment, equipment damage, lost production, off spec product, and regulatory fines.
Unfortunately, organizations often confuse other types of assessments, such as gap assessments, compliance assessments, maturity assessments, penetration tests, and vulnerability assessments, with risk assessments. These are all different assessments that serve different purposes.
Risk assessment and risk management are not new practices. Multiple risk management standards have been available for decades in the field of information technology. However, these standards were not designed—or intended—to be applied to industrial control systems. While control systems are similar to information systems in some ways, they are also different in others.
Enter ISA/IEC 62443-3-2 “Security Risk Assessment for System Design”, a new standard released in February 2020. It establishes requirements for defining a system under consideration for an industrial automation and control system. It covers what to assess, and what that assessment should look like. It defines zones and conduits, describes how to partition a system into zones and conduits, how to assess the risk of each, how to determine the target security level for each, and how to document the security requirements.
Like most performance-based standards, it provides general requirements; it is not prescriptive. It defines what to do, not how do it. The standard defines general requirements and links those requirements to common best practices. The standard can be summarized in two figures, both workflow diagrams.
Standards are often supplemented with methodologies. Industrial control system risk assessment methodologies include consequence-driven cyber-informed engineering, and CyberPHA. Additional methods are still being developed.
CyberPHA is a systematic, safety-oriented methodology used to conduct a cyber security risk assessment of an industrial control or safety system. The methodology integrates multiple engineering disciplines, including process safety, industrial automation, industrial IT, and cyber security. It leverages established process safety management methodologies and uses that information to perform a CyberPHA. It delivers a risk ranked mitigation plan that typically includes both cyber and non-cyber safeguards and countermeasures.
The consequences of cyber risks attacks are very different between information technology and operational technology systems. Therefore, the methods to assess risks between the two systems differ. The use of the CyberPHA methodology offers a consequence driven method to assess the security risks of operational technology systems. It is a more formal and rigorous method compared to those developed for information technology systems. The method aligns with the ISA/IEC 62443-3-2 standard and links to process safety. It starts with the process hazard analysis and the consequences established there. It uses the client’s risk matrix, measuring cyber risks in same manner as all the other risks, enabling apples to apples comparisons. The method aids in developing the most cost-effective road map for implementing cyber security solutions, optimizing the maximum risk reduction for the dollars spent.
To read the full paper and learn more about industrial control system risk assessment and best practices in the chemical industry, click here.