Cybersecurity is a hot topic in the Industrial Control System (ICS) world. What does cybersecurity mean to your organization and how do you implement proper cybersecurity? Determining how or what control an organization implements should be based on how you choose to handle risk. Risk within an organization can either be accepted (do nothing), mitigated (implement a control), or transferred (get insurance). To most efficiently implement the proper controls, a risk assessment must be completed first.
Completing a risk assessment within in your organization may seem overly complicated, but it can be done in just a few simple steps. Depending on the scope of the risk assessment, you may choose one or several individual pieces of technology, a business process, a department, or even the entire organization. This is what is referred to as an asset. Next, find the value of the asset to the organization. This can be done by adding a dollar value to the asset (what it cost to purchase or how much it makes for you) or a qualitative value (what the asset means to the organization). Now you can complete a risk assessment to understand what risks threaten the asset. Threats can be internal, external, man-made, natural, intentional, or inadvertent towards your assets. Since not all threats are equal, a determination must be made to understand threat level. This is done by determining the impact of the threat and the likelihood of the threat occurring. When documenting these determinations, remember to consider threats to your assets with no controls put in place. For instance, in your locked server room with biometric access controls. This will let you know what risk the asset adds to the organization inherently.
The final step is to determine what controls you have put into place to protect your asset. Have you put that asset in a locked server room with biometric access control? Based on the controls that have put into place you can see a reduction in the risk an asset poses to the organization. After this process has been completed for all identified assets, you can determine what asset poses the most risk and focus your efforts on that area. Remember, it is impossible to eliminate all risk. However, understanding your organization’s risk tolerance will help you determine if you want to accept, mitigate, or transfer any remaining risk. You do not want to spend additional funds on an asset which has already met the organizational risk tolerance.
Risk assessments and management can seem like a daunting task for any organization, but it is essential for any organization that wants a mature and efficient cybersecurity program. Interstates has helped a multitude of ICS organizations better understand cybersecurity within their organizations and help them move forward in a more secure and strategic manner.
Brandon Bohle, Interstates MIT Analyst III