Conducting Risk Assessments Flashcards
Benefits of Cyber Risk Assessments
- Helps determine what plant locations/processes need to be addressed first
- Assists with understanding the threats and vulnerabilities
- Provides information which helps to intelligently design and apply countermeasures (e.g. network segmentation, access controls, hardening, detection, etc.) to reduce risk.
- Helps prioritize activities and resources
- Helps to evaluate countermeasures based upon their effectiveness of versus their cost/complexity
Understanding Risk
- Identify critical assests
- Determine the realistics threats
- Identify existing vulnerabilities
- Understand the consequence of compromise
- Assess effectiveness of current safeguards
Identify System Under Consideration (SuC)
ISA 62443-3-2 (Section 4.1)
The organization shall clearly identify the System under Consideration (SuC) including clear delineation of security perimeter and indentification of all access points to the SuC.
Tips:
* SuC is often defined using combination of illustrations and text
* Clearly identify assets that are in-scope
* Identify the perimeter and access points
Conduct a High-Level Cybersecurity Risk Assessment
The organization shall perform a high-level cybersecurity risk assessment of the SuC to identify the worst case unmitigated risk that the SuC presents to the organization.
Tips:
* Exercise to understand the worst case financial and HS&E consequences in the event that availability, integrity or confidentiality of the IACS is compromised.
* Scope is the entire SuC
* Team with knowledge of the industrial process should develop worst case scenarios assuming the control system has been compromised
* If available, relevant Process Hazard Analysis (PHA) should be reviewied to help identify potential consequences.
* Results are rated using a consequence scale
Consequence Scale
Establishment of Zones and Conduits
The organization shall establish zones and conduits by grouping IACS and related assets based upon the results of the high-level cybersecurity risk assessment. Grouping may also be based on criteria such as cirticality of assets, operational function, physical or logical location, required access (i.e least privielege principals) or responsible organization.
Tips for Establishment of Zones and Conduits
- Grouping assets into zones and conduits facilitates detailed cybersecurity risk assessment
- The assignment of IACS assets to zones and conduits may be adjusted based upon the result of the detailed risk assessment.
- This is a general requirement, but special attention should be given to:
- Safety Instrumented Systems (SIS)
- Wireless Systems
- Systems that interface to the IACS but are managed by other entities (includes external systems)
- Mobile devices
Separation of Business and Control Systems Zones
Requirement
IACS assets shall be grouped into zones that are separate form business or enterprise systems assets.
Rationale
Business and IACS are two different types of systems that need to be divided int separete zones as their functionality, responsible organization, rsults of high level risk assessment and location are often fundamentally different. It is important to understand the basic difference between business and IACS is the ability of IACS to impact health, safety and the environment.
Separation of Safety Instrumented System (SIS) Zones
Requirement
SIS assets should be grouped into zones that are separate from zones with non-SIS assets
Rationale
Safety Instrumented System (SIS) usually have different security requirements than basic control system components interfaced to the control system components.
Separation of Temporarily Connected Devices
Requirement
Devices that are permitted to make temporary connects to the SuC should be grouped into a separate zone(s) from IACS assets.
Rationale
Devices that are temporarily connected to the SuC (e.g. maintenance laptops, portable processing equipment, portable security appliances, USB devices, etc) are more likely exposed to different and wider variety of threats than devices that are permanently part of the zone. Therefore, these devices should be modeled in a separate zone(s).
Separation of Wireless Communications
Requirement
Wireless communications should be in one or more zones that are separated from wired communications.
Rationale
Wireless signals are not controlled by fences and/or cabinets and are therefore more accessible than normal wired networks. Because of that more likely exposed to different and wider variety of threats than devices that are wired. Therefore, wireless devices that are allowed to access a zone should be modeled in a separate zone or conduit.
Separation of Devices Connected Via Untursted Networks
Requirement
Devices that are permitted to make connections to the SuC via untrusted networks (e.g. remote access) should be grouped into a separated zone(s).
Rationale
It is not uncommon for organizations to grant remote access to personnel such as employees, suppliers, and other business partners for maintenance, optimization and reporting purposes. Because remote access is outside the physical boundary of the SuC it should be modeled as a separated zone with its own security requirements.
Separation of Devices Connected Via Untursted Networks
Requirement
Devices that are permitted to make connections to the SuC via untrusted networks (e.g. remote access) should be grouped into a separated zone(s).
Rationale
It is not uncommon for organizations to grant remote access to personnel such as employees, suppliers, and other business partners for maintenance, optimization and reporting purposes. Because remote access is outside the physical boundary of the SuC it should be modeled as a separated zone with its own security requirements.
Zone & Conduits Drawings
Requirement
The organization shall produce a drawing or a set of drawings that illustarates the zone and conduit partitioning of the entire SuC. All IACS assets in the SuC must be assigned to a zone or a conduit.
Rationale
It is important to have an overview drawing of the SuC that illustrates the zone and conduit boundaries and the assets contained within those boundaries in order to effectively communicate how the SuC is partitioned.
Document Cybersecurity Requirements, Assumptions and Constraints
Requirement
A Cybersecurity Requirement Specification (CRS) document shall be created to document general security requirements based upon company policy and standards, relevant regulations and the outcome of the high-level risk assessment as well as any mandatory security functions of the SuC.
