We continue to watch as many professionals with vast experience in Information Security, industrial companies taking action, renowned cybersecurity consultancies, government organizations and technology developers are wrong (by far) when it comes to mitigating industrial cyber risk. One of the main mistakes is to implement the same strategies as in industrial information security.

Without risk assessment security is an expense, because effort does not guarantee risk mitigation – Incorrect, Insufficient, Costly.

In a gap analysis, a list of controls on critical assets is evaluated, verifying the procedure, its implementation and continuous improvement, to use the result in the definition of an Industrial Cybersecurity program to reduce gaps. Ask:

• Do I know each cyber asset, its risks, its vulnerabilities, its criticality and its consequences?
• Are the controls defined in the regulations all effective?
• Are the controls defined in the regulations sufficient?

With risk analysis security is an investment, effort is applied based on knowledge – Correct, Sufficient, Effective and Economical.

Industrial cyber risk assessment and knowledge-based decision making is fundamental to the selection of all actions that are effective and efficient for risk mitigation. Decisions are justified by a scientific methodology avoiding inefficient and ineffective actions. At first for many professionals this methodology is a little scary, it seems complex, but in reality it is the one that provides the best results.

What most are doing, The sad reality:

• The initial cost is very high due to the number of unnecessary and inefficient actions.
• The cost of maintaining is high because of the number of unnecessary and inefficient actions that must be maintained over time.
• An obsession develops to mitigate vulnerabilities that do not generate any real risk to the plant.
• The Total Cost of Ownership (TCO) of industrial systems as a result of an insufficient security strategy is very high. It usually ranges from 25% to 40%.
• The actual cyber risk is unknown. It is not calculated correctly. Many organizations assume that a maturity study or gap study is a risk analysis, when in fact it is not.
• The residual risk is unknown. The inability to calculate cyber risk means that the current risk or the actual risk cannot be known after implementing numerous controls.
• Decisions are usually short-term. There is a lot of pressure on the need and importance of mitigating any new vulnerabilities that are discovered.

Some are doing correctly, What should be:

• The initial investment is low because the result is a smaller number of recommendations, but they are very effective and very efficient.
• There is a clear visualization and calculation of the industrial cyber risk, and the specific risks they mitigate are known for each of the recommendations.
• The annual maintenance cost is lower, because there are fewer shares to hold. In turn these recommendations, as they are generally by design, require less maintenance.
• The Total Cost of Ownership (TCO) of industrial systems increases slightly. Usually around 5%.
• Industrial cyber risk is calculated consistently with the other industrial risk disciplines.
• The residual risk after implementing all the recommendations is tolerable by the organization.
• Mitigation decisions and actions are long-term, generating a certain independence towards new vulnerabilities and possible new threats.