Many different methods are currently used to assess cyber risk in industrial systems. The methods come from the different organizations that develop standards and regulations, the consulting companies that provide risk assessment services, the manufacturers of products and solutions that provide a risk calculation. In general, we observe that everyone has their own method.
The question is, are they all equally good, effective, efficient, and sufficient? The answer is: clearly, No, they are not.
The first thing we must understand is why we want or should execute a risk assessment. What is the purpose of risk assessment? Generally, when we talk about risk assessment in the industrial field, we must refer to what the plant considers to be a risk. Each plant has its own definitions and criteria. What may be tolerable for one industrial plant may not be tolerable for another plant.
Risk assessment consists of a certain process for making decisions. Whenever we encounter a risk, we should make a decision to mitigate it. I would say that this is the fundamental basis for carrying out a risk assessment. To make good decisions.
In the industrial field there are many risk disciplines. Among them we can mention functional safety, process safety, workers safety, consumers safety, intrinsic security, and others including cybersecurity. They all have things in common. And they have in common that they protect the same plant, the same assets, and seek to avoid the occurrence of the same consequences against different causes.
Generic Risk Formula
The generic risk formula is R = P x I. Where R (Risk) is directly proportional to the probability P, and directly proportional to the impact of the consequence. Industrial organizations create a risk matrix to frame the risk and to make mitigation decisions. These risk matrices are usually accompanied by rules written in some type of document. It is also common for there to be unwritten rules that the people of the plant know. This knowledge belongs to the plant and to no one else but the plant.
Cyber Risk Formula
When we want to apply industrial cyber risk assessment, we use another risk formula that is more representative of the new discipline. Most organizations agree that this is the correct risk formula to use even though each organization has a different method of calculating it. In conclusion, there is a lot of confusion in the market regarding what is the most appropriate way to assess risk and make decisions.
Risk = Threat x Vulnerability x Impact
If we take a moment to analyze each of the methods that are used by the different actors to assess cyber risk, we can classify them into three different types. These are based on statistics, vulnerabilities, and consequences. There are methods that combine these three types or try to do so.
- Statistical or Predictive Methods. The calculation base uses data that is obtained by processing data from the past. Based on the observation of the past, an attempt is made to predict the future. Data collection is required for a certain period of time. There are simple methods that perform calculations by averaging the results with some kind of subclassification, etc. There are more sophisticated predictive methods. These predictive methods are widely used and originate in information security or classic cybersecurity.
- Vulnerability Assessment Methods. There are many methods to identify vulnerabilities. In fact, there are different types of vulnerabilities. Vulnerabilities are usually classified as administrative or procedural, cybernetic vulnerabilities typical of cybernetic devices, or also physical or mechanical. There are many different methods for identifying vulnerabilities. Typically when these methods are used, a severity or score is assigned and then some type of calculation is performed to arrive at a result. Based on this result, decisions are made. These methods are widely used and originate from information security or classic cybersecurity.
- Consequence Based Methods. These methods assess the risk on a calculation basis based on the consequences that are not tolerable by the plant. To do this, it is necessary to use the plant’s risk matrix. Since risk framing differs from plant to plant or from organization to organization. What is meant by consequence and impact of consequence? These methods originate from the ISA99 committee, responsible for the creation of the ISA/IEC-62443 series of standards.
The million-dollar question
What is the correct or most appropriate method for making decisions in the industrial field?
To answer this question, we must first define what the objectives are. Why do we want to carry out a risk assessment, what is most important, what are the priorities for an industrial plant, where is the real risk, what should we prevent from happening, etc.
To solve a problem, we must first understand the problem. If we do not understand the problem then we will hardly be able to solve it. This is “visualizing the risk correctly”. What is industrial cyber risk? When the cyber incident occurs?, or when the consequence occurs?
This is where two principles collide. Information Security (IT), versus Industrial Cybersecurity (IACS). Information security prioritizes the protection of cyber assets while industrial security prioritizes the protection of physical assets. What is meant by consequence and impact?
For an industrial plant, the consequences can be: (a) Tank spill, (b) environmental damage, (c) boiler explosion, (d) death of one or more people, (d) plant shutdown, etc.
For information security, the priorities are to prevent the occurrence of the cyber incident, assuming that in this way we avoid the second (the consequence) which is generally incorrect or uncertain. A cyber incident is when a cyber asset is compromised in its confidentiality, availability, or integrity.
A cyber incident may or may not end in a consequence. This depends on the control system design and the design of the plant. Also called “Plant Behavior.” We also call it “Security by Design”. We wrote about this in another article (here). This is typically ignored by most methods that are used today, which prioritize the security of cyber assets over the prioities of the plant.
Right decisions. They are those decisions in actions that contribute effectively, efficiently and sufficiently to risk mitigation. These are considered more of an investment. Decision to use resources that are worth spending. Time and resources are dedicated to correct actions.
Incorrect decisions. These are those decisions in actions that do not contribute to risk mitigation. They are inefficient, uncertain, ineffective and insufficient. Maybe they mitigate, maybe not. These are more of an expense. A distraction of valuable resources in initiatives that do not achieve the objective. Time is wasted on actions that do not add value and delays in doing those actions that are effective and efficient.
Security actions can be of three basic types. These are (a) administrative or procedural, (b) cybernetic or technological, and (c) physical or mechanical. These must be developed and implemented consistently as we also explain in the article on security by design.
Let’s look at the following table comparing the different methods of making decisions.
| Statistical | Vulnerabilities | Consequences (Industrial) |
| Statistical methods generally focus on threats and attack methods. | These methods identify vulnerabilities and assign them a factor (or score) to end up in a risk calculation. Vulnerabilities can be procedural, cybernetic or physical. | The method recommended by ISA/IEC-62443-3-2 is to identify all possible consequences for each zone and conduit, and influence the system and plant design to prevent the occurrence of the consequence even if the cyber incident eventually occurs. |
| It requires the collection of statistical data from the past that are generally not easy to obtain. Not all countries have this capacity, in fact, there are very few that have this capacity. It requires very strong laws and regulations and that the entire industry complies with these regulations. Even for the most developed countries, this is difficult and highly costly. Even if the money is provided by the government, that money comes from taxes. | Generally, the more vulnerabilities, the more risk. In the industrial field it is not necessarily correct. Every time a vulnerability is discovered, there is a feeling that the risk increases. The market must respond quickly towards the application of the patch. But a vulnerability which cannot lead to a consequence will have no risk. | The calculation of risk depends fundamentally on correctly identifying the possible consequences. If the plant stays the same with the same physical assets and the same cyber assets, the possible consequences don’t change, you’ll remain the same, even if 20 years pass. |
| Whenever a new threat is discovered, the market must respond by protecting itself against that threat. Companies have the feeling that they are unprotected. The risk increases with each new threat. Threats appear very frequently. | The feeling of security is short-term. The time it takes for the market to discover new vulnerabilities. Vulnerabilities are usually discovered and published by ethical hackers. Malicious hackers don’t make them public; they keep them for their own benefit, but they use public vulnerabilities to develop malicious code. | The risk mitigation method is long-term. Durable over time. It no longer depends on the vulnerability of the moment, nor on new threats. Vulnerabilities should be mitigated calmly with no urgency. A case-by-case study will be required. |
| Security is short-term mitigation solution. The market quickly develps a new threat. These are generally developed by malicious actors, although sometimes they are developed by actors considered ethically correct. | These methods are also reactive, first the vulnerability is discovered and then the patch is developed. Security depends on patch application. This is permanent. | It is known as a consequence-based risk mitigation method. Also called security by design. It is more durable and maintainable over time. Over time, it requires a lower budget. It requires investment at the beginning to last for decades. |
| Risk is a race against time. It’s a matter of speed to see who reaches to the cyber asset first. (a) The malicious hacker to compromise and cause damage, or (b) the security managers applying the antidote. It’s always a new sprint. Usually good guys wins, but sooner or later a sprint is lost. That day the undesired consequence of the plant ends up occurring. This is the focus of IT, to prevent the occurrence of the cyber incident. It requires permanent spending and budget drainage. This approach is not addressing the real problem, it is beign part of the problem. | A robust plant and control system design is created in which the unintended consequence of the plant can no longer occur, even if the cyber incident eventually occurs. Long-term solution. The best Return On Investment. | |
If we look at the risk formula again, we see that the approaches developed based on information security, or the security of the cyber asset as the strategy, go from left to right (Top-Down Approach). Security approaches based on the ISA/IEC-62443-3-2 series of standards goes from right to left (Bottom-Up Approach).
What method for making good decisions is your organization using? Take time to evaluate the risk assessment approach being offered by the multiple vendors and consultants. This approach might be mitigating the budget of the end user a lot quicker than it is mitigating the risk.
Conclusion
Clearly, the best, most durable and most convenient method for the plant is one that meets the objectives and requirements of the ISA/IEC-62443-3-2 standard. There are several risk assessment methods that meet the requirements. The one we teach in the ISA’s IC33 course is known as CPHA or Cyber PHA (Cyber Process Hazardous Analysis). There are other, slightly more sophisticated methods that also meet the requirements of ISA/IEC-62443. Consequence-based risk assessment methods.
Don't forget to subscribe to OT Connect Newsletter - The News That Matters.
Take advantage of the "Cybersecurity Training Program" to easily implement and comply.
Get Involved & Participate!
Comments