As cyber-attacks continue to escalate, more owners of critical infrastructure are asking whether their risk assessment framework is still adequate for today's threats. Many critical asset owners have solid IT risk frameworks because these have been developed over the past 10-15 years, but industrial control system (ICS) risk are much different.
For an ICS, the primary concerns are human safety and fault tolerance to prevent loss of life, endangerment of public health or confidence, regulatory compliance, loss of equipment or intellectual property. The team responsible for operating, securing, and maintaining ICS must understand the important links between safety, reliability, and security. Below you’ll find the steps to helping your team achieve a successful ICS risk assessment.
Create a Project Charter
The charter is a key piece of early planning. It provides the project manager with the authority to plan and execute the risk assessment project. In many cases, the company's CIO/CSO will be the executive sponsor for completing the risk assessment. The executive sponsor's main role is providing resources and support for the project and she/he is accountable for enabling success. The executive sponsor should assign a project manager skilled in employing the PMI’s standards and guidelines to help ensure successful delivery of the project. The project manager's role is to lead the team that is responsible for achieving the project objectives and she becomes a critical link between the strategy and team.
Key components of the charter are:
Statement of work - a narrative description of service or result to be delivered by the project.
Business case for the investment of time and resources
Measurable objectives
Summary milestone schedule
Preliminary budget
Assemble a great team
After a project charter is developed, it is essential that a cross-functional team be assembled with varied domain knowledge and experience to evaluate and mitigate risk in the ICS. Consider adding a member from IT, a controls engineer, a Plant operator, security subject matter expert, a member from corporate compliance, and possibly the control system vendor and/or systems integrator.
Stage 1: ICS Asset Identification & Inventory
The first task is to identify all physical and software assets. The project team should define, inventory, and categorize the applications and computer systems with the ICS, as well as the networks within and interfacing to the ICS. The focus should be on systems rather than just devices, and should include PLCs, DCS, SCADA, and instrument-based systems that use a monitoring device such as an HMI.
Stage 2: Identify Vulnerabilities & Model Threats
This stage identifies vulnerabilities, threat sources, attack vectors, and potential threat events and funnels them into attack trees. Vulnerabilities are often introduced into ICS due to inadequate policies or the lack of policies for control system security. Verifying and validating vulnerability findings and risk scenarios using penetration testing and vulnerability scoring helps to uncover security holes that could be exploited by a non-ethical hacker.
Major components of this phase are:
Architecture & Network Review
Vulnerability Mapping
Configuration Reviews
Security Policy Reviews
Vulnerability Scanning
Live Network Traffic Analysis
There are many tools available for performing network vulnerability assessments for typical IT networks however, the impacts these tools may have on the operation of an ICS should be carefully considered. The additional traffic and exploits used during active vulnerability and penetration testing, combined with the limited resources of many ICS, have been known to cause ICS to malfunction. A vital concept to remember during this stage is that an organization that doesn't know what it’s vulnerabilities and threats are cannot properly assess and deploy protection strategies sufficient to protect critical assets.
Stage 3: Calculate, prioritize, and mitigate risk.
Organizations should focus on mitigating risk with the greatest potential impact to their assets. A fundamental principle that must be part of any network protection strategy is defense-in-depth. Defense-in-depth must be considered early in the design phase and must be an integral consideration in decision making for mitigating risk. One tool that can prove to be invaluable is the Department of Homeland Security's CSET tool. The CSET tool provides a consistent step-by-step process for evaluating security controls and practices by comparing them to the requirements identified in any one or multiple industry recognized standards. Once the questions are answered, CSET generates a report with prioritized actionable recommendations to help improve the security of the systems being evaluated, based on the chosen standard.
Stage 4. Define roles and build & develop a cross-functional ICS team
Organization personnel need to understand the specific expectations associated with protecting ICS assets through the clear and logical roles and responsibilities. People who work on the system every day have a great insight into the vulnerabilities of the ICS network and should be given sufficient authority to carry out their assigned responsibilities. Ultimate authority and responsibility rests in the Tier 1 risk executive function that provides a comprehensive, organization-wide approach to risk. Management level accountability will help ensure an ongoing commitment to information security efforts.
Most organizations today are juggling many risk. These exposures may include financial risk,
risk of equipment failure, and personnel safety risk, to name just a few. Risk assessments
should be conducted multiple times during a system's life cycle because of the evolution
of technology as a system matures. If your team is looking to develop or update your ICS risk models, feel free to reach out to me at kblue@LLBLUEeng or visit www.LLBLUEeng.com for more information. There you'll find helpful resources to begin creating a plan for minimizing ICS cyber risks.
Karonn Blue P.E., PMP is an Industrial Control System (ICS) Engineer specializing in helping organizations successfully design, secure and integrate robust ICS solutions. After spending over 15 years in engineering, leadership, and consulting for industrial control systems, I know the challenges faced by owners of critical infrastructure and what it takes to ensure these systems remain safe, reliable and compliant. Our team continually seek ways that technology, global best practices, and strategic partnerships can help protect your assets as your business and threats continually evolve. If you have questions or to set up an appointment to discuss your organization's SCADA/ICS situation and needs, Contact me at: kblue@LLBLUEeng.com