Post on 20-Aug-2018
Risk Assessments in critical infrastructure ICS
An Operators Perspective
Franky Thrasher
Senior Cybersecurity Expert
Laborelec
A contextual approach
In our findings we found available methodologies :•Focus on C.I.A. principles•Not well suited to industrial risks•Too conceptual at IT minded •Did not take into account the specific context of ICS systems
In our approach we searched for a risk assessment methodology that would:
•Address cyber security risks•Take into account the specific context of ICS systems•Help us prioritize our mitigation actions.
How to tackle Cyber Security Risk?
1. Understand what needs protection and why
2. Select a risk discovery approach that is encompassing
3. Apply quantitative/qualitative measurements
4. Benchmark measurements against industry standards
5. Identify common vulnerabilities (low hanging fruit)
6. Identify critical vulnerabilities (urgent attention)
7. Aim for high level of risk comprehension
Cyber risk methodology composition
• Should have a Model
• Should have Phases
• Should have Quantitative/Qualitative measurement
Selecting a Methodology
Security management is the protection of assets.
Thus, cyber security management is the protection of digital “computing” assets
Risk Management Metholodogy
I – Risk Definition Phase Define Scope Define boundaries
II – Risk Assessment Phase Identification Analysis Evaluation
III – Risk Decision Phase
Decision: Avoid – Reduce – Transfer - Retain Residual risk acceptance
Defining parameters
•Criticality•Security Management•Recoverability•Accessibility•Vulnerabilities
Measuring criteria: Criticality
ConfidentialityIntergrity
Availability
Primary Impact considerations
Secondary Impact
considerations
Application Criticality
Score
Loss of operational
functionality
Damage to operational
assets
Financial loss
People safety/heal
th
Environmental damage
Non-Compliance
to regulations
/ legal requirement
s
App 1Confidentiality
BreachLow Low Low
Not Applicable
Not Applicable
Low 0 9.75
Maintaining Integrity
Severe Severe Severe Low Low Significant 0
Unavailability Impact
Moderate Low SignificantNot
ApplicableNot
ApplicableModerate 0
Unavailability Allowance
0-4hrs > 48hrs 0-4hrsNot
ApplicableNot
Applicable> 48hrs 0
App 2Confidentiality
BreachNot
ApplicableNot
ApplicableNot
ApplicableNot
ApplicableNot
ApplicableNot
Applicable0 7.75
Maintaining Integrity
Significant Significant Significant LowNot
ApplicableSignificant 0
Unavailability Impact
Significant Low SignificantNot
ApplicableNot
ApplicableModerate 0
Unavailability Allowance
0-4hrs > 48hrs 4-12hrsNot
ApplicableNot
Applicable> 48hrs 0
App 3Confidentiality
BreachLow
Not Applicable
LowNot
ApplicableNot
ApplicableLow 0 4.50
Breach LowNot
ApplicableLow
Not Applicable
Not Applicable
Low 0
Unavailability Impact
ModerateNot
ApplicableSignificant
Not Applicable
Not Applicable
Low 0
Unavailability Allowance 0-4hrs Not Applicable > 48hrs Not Applicable Not Applicable > 48hrs 0
Vendor Requirements
System Criticality Level Corresponding WIB II /IEC62443-2-4 compliance level
Criticality level of 9.0 or above Gold level compliance
272 out of 272 requirements must be met
Criticality level of 7.0 through 8.99 Silver level compliance
218 out of 272 requirements must be met
Criticality level below 7.0 Bronze level compliance148 out of 272 requirements must be met
Measuring Criteria: Security Management
Roles and responsibilities (RACI)
Awareness and
training
ICS inventory managem
ent
Change Managem
ent
Incident managem
ent
Acquisition
Vendor/contractor
management
External device
management
Indentification and access
management
Risk assessmen
tScore
App 1Managed
and measurable
Repeatable -
intuitive
Managed and
measurable
Managed and
measurable
Repeatable -
intuitive
Managed and
measurable
Repeatable - intuitive
Repeatable -
intuitive
Repeatable -
intuitive
Initial/ad hoc
6.75
App 2Managed
and measurable
Repeatable -
intuitive
Managed and
measurable
Managed and
measurable
Repeatable -
intuitive
Managed and
measurable
Repeatable - intuitive
Managed and
measurable
Managed and
measurable
Initial/ad hoc
7.75
App 3Managed
and measurable
Repeatable -
intuitive
Managed and
measurable
Managed and
measurable
Repeatable -
intuitive
Managed and
measurable
Repeatable - intuitive
Repeatable -
intuitive
Defined process
Initial/ad hoc
7
App 4Repeatable - intuitive
Defined process
Defined process
Repeatable -
intuitive
Defined process
Managed and
measurable
Defined process
Repeatable -
intuitive
Defined process
Repeatable -
intuitive6.75
App 5Managed
and measurable
Repeatable -
intuitive
Managed and
measurable
Defined process
Repeatable -
intuitive
Managed and
measurable
Defined process
Managed and
measurable
Repeatable -
intuitive
Initial/ad hoc
7.25
Measuring Criteria: Security Recoverability
Spare parts manageme
nt
Application/ Software
backup
Backup frequency
Backup manageme
nt
System restore
test
Estimated system
recoverability
Redundancy
management
Contingency planning
Energy backup
management
Score
App 1Defined process
Initial/ad hoc
Managed and
measurable
Defined process
Non-existant
12 to 24hrs
Managed and
measurable
Managed and
measurable
Managed and
measurable
6.95
App 2Initial/ad
hocDefined process
Managed and
measurable
Defined process
Not Applicable
12 to 24hrs
Managed and
measurable
Defined process
Managed and
measurable
7.7
App 3Defined process
Defined process
Managed and
measurable
Defined process
Initial/ad hoc
Up to 4hrsDefined process
Defined process
Non-existant
7
Measuring Criteria: Security Accessibility
Logical accessibility Physical accessibility
Local network
connection?
Is the network
segregated?
Connection to
enterprise network?
Remote login
capability via corp
network?
Remote login
capability via other
means?
Is wireless connection used
for system?
Link to untruste
d network?
System behind
firewall?
Physical security
of perimeter
(i.e. access
control to grounds)
Physical security of local
room (i.e. server room))
Physical security
of individua
l components (i.e.
rack)
Total Score
App 1Yes/contr
olledYes/contr
olledNo No No No No
Not applicabl
e
Yes/Managed
Yes/Managed
Yes/restricted
9.2
App 2 NoNot
applicableNo No No No No
Not applicabl
e
Yes/Managed
Yes/Managed
Yes/Managed
10
App 3Yes/restric
tedYes/contr
olledNo No No No No
Not applicabl
e
Yes/controlled
Yes/controlled
Yes/restricted
8.5
Measuring Criteria: Security Vulnerabilities
OS typeSystem
hardening
System patching
Antimalware
installed
Port restriction(i.e USB)
Account privilege
management
applied?
Password
protection?
Machine loggin
and /or monitori
ng
System configurat
ion managem
ent
Environmental
protection
Access Internet
?
Access email?
System Score
App 1Defined Process
Defined process
Non-existant
Non-existant
Managed and
measurable
Defined process
Initial/ad hoc
Non-existant
Managed and
measurable
Managed and
measurable
No No 5.75
App 2Not
Applicable
Not applicabl
e
Not applicabl
e
Not applicabl
e
Not applicable
Not applicabl
e
Not applicabl
e
Not applicabl
e
Managed and
measurable
Defined process
Not applicab
le
Not applicabl
e9.85
App 3Initial/Ad
hocDefined process
Non-existant
Non-existant
Repeatable -
intuitive
Initial/ad hoc
Initial/ad hoc
Non-existant
Defined process
Repeatable -
intuitive
Not applicab
le
Not applicabl
e3.65
What to do after risk assessments ?
•Action plan?•Prioritize Systems ?•Or prioritize actions?•How ?
Return on experience 80/20 % KPI’s?
Systems Risk Assessment Maturity Scores Cyber Risk KPI
System name CriticalitySec
Management maturity
Recoverability maturity
Accessibility
maturity
Vulnerability maturity
Risk Level Target to criticality
Actual risk level score
% risk score
S M R A V
80% 80% 80% 80% 80%
App 1 9.75 6.75 6.95 9.2 5.75 7.80 7.16 73% 69% 71% 94% 59%
App 2 7.75 7.75 7.7 10 9.85 6.20 8.83 114% 100% 99% 129% 127%
App 3 4.50 7 7 8.5 3.65 3.60 6.54 145% 156% 156% 189% 81%
App 4 8.75 6.75 7 9.51 7 7.00 7.57 86% 77% 80% 109% 80%
App 5 8.25 7.25 6.85 7.53 6.9 6.60 7.13 86% 88% 83% 91% 84%
App 6 5.75 7.5 6.35 7.93 3.6 4.60 6.35 110% 130% 110% 138% 63%
App 7 6.50 7.25 3.75 8.23 3.15 5.20 5.60 86% 112% 58% 127% 48%
App 8 6.50 0 0 0 0 5.20 0.00 0% 0% 0% 0% 0%
App 9 4.75 0 0 0 0 3.80 0.00 0% 0% 0% 0% 0%
App 10 7.25 0 0 0 0 5.80 0.00 0% 0% 0% 0% 0%
Return on experience?
0.00
1.00
2.00
3.00
4.00
5.00
6.00
7.00
8.00
9.00
10.00
Criticality
Sec Management maturity
Recoverability maturityAccessibility maturity
Vulnerability maturity
Test System
App 1
App 2
App 3
App 4
App 5
App 6
App 7
App 8
App 9
App 10
Return on experience?
The true Challenge…Digital Resilience
Ensuring strategic enterprise capacity
1. Corporate/local Mandate
2. Budget capacity
3. Integration into existing processes
4. Knowledge and competence
5. Roles and responsibilities (HR defined Objectives)
6. Integration into enterprise risk methodology
7. Responsive incident management
Questions?
franky.thrasher (at) laborelec.com
18 Internal - Title of the presentation05 - 03 - 2014