Industrial Cyber Security Risk Management
As industrial systems become increasingly digitized, so does the cyber risk. Once upon a time the industrial systems were isolated, were manual, but not rely on communications network and digital devices. As a result, a new category of industrial risk has been created – industrial cyber risk.
Time has come when organizations need to define ownership of cyber risk across their business and enable them to effectively assess cyber risk and confidently respond to cyber incidents.
The potential for injury, loss of life, loss of intellectual property, and operational disruption are some of the risks that you need to manage to protect your core business. I have worked with several customers spanning across 20 countries implementing ICT/OT cybersecurity solutions and have expertise that can help.
Asset Visibility Solutions
I have implemented this solution to provide a clear view of industrial assets to make better, more informed decisions about the security of customer organization.
Vulnerability Insight & Mitigation
Vulnerability intelligence feed to effectively mitigate risk, reduce downtime, and allocate cybersecurity resources where they’re needed most.
Improved Threat Detection
Threat detection solutions to increase the efficiency in detecting and responding to cyber threats in your ICS/OT environments.
Cyber Incident Response Planning
I have developed and documented incident response plans for my customer and have worked with them to assess its effectiveness.
IT & OT Stakeholder Alignment
I have worked extensively with my customers to help align IT & OT security teams and operations leaders.
An ICS / OT Partner You Can Trust
Using my experience as an ICS security practitioner, I can help you understand your unique environment & build an ICS cybersecurity program that’s right for you.
A typical Risk Management Process can be defined as a 5 step process:
- Cyber Risk Categorization
- Threat Evaluation
- Cyber Based Impact Analysis
- Risk Evaluation
- Risk Treatment
Step-1 – Characterizing cyber risk for critical infrastructure and other industrial organizations requires building a blend of OT security, process engineering, and business continuity knowledge. In this step, a list of critical assets and systems is identified, associated cyber architecture and/or security controls is identified, associated Process Hazard Analysis (PHA) and/or safety related analysis is taken into account and also the owners of cyber risk for the assets and systems are identified.
Step-2 – Once the assets and systems are characterized, asset owners and operators need to evaluate the threats that may impact those systems. A common approach to this is to have a tailored cybersecurity threat profile based on threats specific to the organization, operating region, industry, and other unique demographics that may impact critical infrastructure, such as vendor-specific threats. Typical categories of threat can be Human actors using technical means, Human actors using Physical means, Technical Problems, etc…
Step-3 – Once critical systems have been outlined, along with the potential threats to those systems, asset owners and operators need to consider the impact associated with the loss of those systems.
Step-4 – Risk evaluation techniques will vary from organization to organization based on resources, maturity, and other drivers. Risk evaluation techniques should include scenario-driven analysis for OT-specific incidents.
Step-5 – Risk treatment consists of any pre-incident strategies to manage the identified risk. The initial output of the risk evaluation helps decide what the initial response, or risk prioritization, should be. Risk treatment could be either to Avoid the risk, Accept the risk, Defer the risk, Mitigate the risk or Transfer the risk.
References:
- European Union Agency for Cybersecurity (ENISA). 2008. Threat and Risk Management: Business Continuity & Resilience. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/bcm-resilience
- Information Systems Audit and Controls Association (ISACA). 2012. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. https://www.isaca.org/resources/cobit
- International Organization for Standardization. 2018. Risk management – Guidelines (ISO Standard No. 31000:2018). https://www.iso.org/standard/65694.html
- International Organization for Standardization. 2018. Information technology — Security techniques — Information security risk management (ISO Standard No. 27005:2018). https://www.iso.org/standard/75281.html
- International Society of Automation. 2019. Security for industrial automation and control systems, Part 3‐2: Security risk assessment for system design (ISA 62443-3-2 Draft). https://www.isa.org/standards-and-publications/isa-standards/find-isa-standards-in-numerical-order/
- Irwin, S. 2014. Creating a Threat Profile for Your Organization. Bethesda: SANS Institute. https://www.sans.org/reading-room/whitepapers/threats/creating-threat-profile-organization-35492
Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
