The current landscape for cybersecurity risk assessments and evaluations is complex, but chances are good that you’re making it more difficult than it needs to be. While you’re consumed with worries about measuring up against cyber attackers, questioning the maturity of your cybersecurity practices, and wondering how to quantify your organization’s level of compliance, the answer is simpler than you think. Ensuring your organization is protected with a comprehensive risk assessment requires three basic steps:
- Understand your current cybersecurity risk assessment approach
- Identify the gaps or risk areas that may not be completely covered by your approach
- Take steps to bolster your risk assessment process.
Continually reviewing your current approach with a critical eye for weaknesses or gaps will help you develop an assessment protocol tailored to your organization’s needs and risk level. Read on to learn more about the basic steps for developing a robust, gap-free cybersecurity risk assessment.
What Are You Doing Now?
It’s important to step back and get a full view of how you are approaching cybersecurity risk assessments. You might be drawing your process from documents such as NERC CIP, ISA/IEC 62443, NIST 800-82, ISO 9001/27001, the NIST Cybersecurity Framework, or one of the many other industry-specific bodies of knowledge out there, and frankly, many of them overlap and cover the same things. Understanding the commonality among these documents will help you to have a solid plan in place when IT or another group comes to you with controls or regulation standards.
While your organization may have a unique approach, typically, the risk assessment process goes like this:
- Select the standards and controls against which the organization will be evaluated.
- Determine the systems within the scope of the assessment.
- Perform threat and vulnerability identification and analysis of in-scope assets.
- Evaluate the strength of enacted controls and risk mitigation measures.
- Calculate residual risk and the potential impacts to exploited vulnerabilities.
- Create and execute remediation plans for any risks outside the organization’s tolerance level.
- Document every step and action taken, then repeat steps 2-7 as necessary.
What’s in Scope?
When I’m doing assessments, I often hear questions about scope, what to check, and how detailed we need to be. If you’re unsure what your organization should include in a risk assessment, consider the following questions. If the answer is Yes, then it should be within scope:
- Does it hold a programmable configuration?
- Does it send or receive structured data?
- Can it be connected to a communications network?
- Does it interact or connect with your organization’s networks?
- Is it not covered within the assessment of another group or team within the organization?
If a device comes from the factory preset to do one thing and is not programmable, I wouldn’t include it for OT cybersecurity. Likewise with devices that send or receive structured data from an analog device to do analog things. But if a device can connect to a communications network, be it Data Highway, WirelessHART, or Zigbee, it can allow things to get on or off the network and must be included in the scope.
Where Are the Gaps?
Unfortunately, there are many ways an assessment can go wrong and major pieces of the puzzle are missed. Who is actually performing your assessment? Do they understand your site’s processes? Do they know the difference between discrete and continuous manufacturing? Maybe they have an IT/OT background and understand perfectly, but they don’t have the availability to give the assessment the time and attention it needs. Be careful in choosing the person who completes your assessment; their ability to uncover the truth will have a very real effect on your organization’s ability to enact mitigation and remediation plans to address any uncovered risks.
When you get to the point where you have a set of documents, know your scope, and have chosen the individuals conducting the assessment, it’s time to find the gaps. You will end up with vulnerability data and information on your devices, but how do you put the peanut butter and the jelly together? You’ll want to be as automated as possible with your assessment, but be wary of the buzzword frenzy of “artificial intelligence machine learning Industry 4.0.” There’s such a rush to get this technology out there that solutions are being engineered and implemented without any security considerations. Feel free to hold your supply chain partners and vendors accountable to your cybersecurity standards. If your raw material supplier gets hacked, that’s a point of ingress into your network that can get you in trouble, too.
The gaps in your assessment process may fall into these categories:
- Mobile devices
- (I)IoT devices
How Do I Fix It?
Addressing the gaps can seem overwhelming, but I suggest identifying a small number of assets and determining the stakeholders for those assets. Ask them to come up with every “what if” question they can think of. What if the radio frequency was jammed? What if it got flooded? What if someone came driving through a wall? What if someone plugged in a USB drive? No question is off limits if it helps you figure out if your assessment adequately checks for that kind of risk. If you can’t answer the question, you’ve identified a gap. Figuring out your vulnerabilities is the only way to have a robust risk assessment.
Here is a basic process to follow for solving weaknesses in your assessment:
- Identify a small number of assets and perform a comprehensive assessment with existing materials.
- Have all stakeholders ask “what if?” and determine if the risk was identified in the assessment.
- For any gap discovered:
- Determine the best way to identify the risk
- Test this evaluation on multiple assets
- Incorporate the check into future assessments
- Continue assessing and asking “what if?” until no new gaps are found.
Ultimately, you need to acknowledge that your assessment will have gaps so that you can work to address them. Engage with your risk assessment team and request a copy of the most recent assessment. It also helps to make an effort to understand the current risk assessment process for Operational Technology within your organization and engage with vendors, contractors, and partners to understand how they are performing risk assessments. This process will hopefully lead you to develop a healthy cybersecurity posture that is continually evolving and improving.
This blog originated as a presentation delivered at the ICS Conference.
Alan Raveling, Operational Technology Architect
Walk Through Our Risk Assessment Proven Process
In this guide, we outline our tried and true approach, explain what happens at each step, and describe the end product.