Walk Through The Assessment Journey
In this guide, we outline our tried and true approach, explain what happens at each step, and describe the end product.
The current landscape for cybersecurity risk assessments and evaluations is complex, but chances are good that you’re making it more difficult than it needs to be. While you’re consumed with worries about measuring up against cyber attackers, questioning the maturity of your cybersecurity practices, and wondering how to quantify your organization’s level of compliance, the answer is simpler than you think. Ensuring your organization is protected with a comprehensive risk assessment requires three basic steps:
Continually reviewing your current approach with a critical eye for weaknesses or gaps will help you develop an assessment protocol tailored to your organization’s needs and risk level. Read on to learn more about the basic steps for developing a robust, gap-free cybersecurity risk assessment.
It’s important to step back and get a full view of how you are approaching cybersecurity risk assessments. You might be drawing your process from documents such as NERC CIP, ISA/IEC 62443, NIST 800-82, ISO 9001/27001, the NIST Cybersecurity Framework, or one of the many other industry-specific bodies of knowledge out there, and frankly, many of them overlap and cover the same things. Understanding the commonality among these documents will help you to have a solid plan in place when IT or another group comes to you with controls or regulation standards.
While your organization may have a unique approach, typically, the risk assessment process goes like this:
When I’m doing assessments, I often hear questions about scope, what to check, and how detailed we need to be. If you’re unsure what your organization should include in a risk assessment, consider the following questions. If the answer is Yes, then it should be within scope:
If a device comes from the factory preset to do one thing and is not programmable, I wouldn’t include it for OT cybersecurity. Likewise with devices that send or receive structured data from an analog device to do analog things. But if a device can connect to a communications network, be it Data Highway, WirelessHART, or Zigbee, it can allow things to get on or off the network and must be included in the scope.
Unfortunately, there are many ways an assessment can go wrong, and major pieces of the puzzle are missed. Who is actually performing your assessment? Do they understand your site’s processes? Do they know the difference between discrete and continuous manufacturing? Maybe they have an IT/OT background and understand perfectly, but they don’t have the availability to give the assessment the time and attention it needs. Be careful in choosing the person who completes your assessment; their ability to uncover the truth will have a very real effect on your organization’s ability to enact mitigation and remediation plans to address any uncovered risks.
When you get to the point where you have a set of documents, know your scope, and have chosen the individuals conducting the assessment, it’s time to find the gaps. You will end up with vulnerability data and information on your devices, but how do you put the peanut butter and the jelly together? You’ll want to be as automated as possible with your assessment, but be wary of the buzzword frenzy of “artificial intelligence machine learning Industry 4.0.” There’s such a rush to get this technology out there that solutions are being engineered and implemented without any security considerations. Feel free to hold your supply chain partners and vendors accountable to your cybersecurity standards. If your raw material supplier gets hacked, that’s a point of ingress into your network that can get you in trouble, too.
The gaps in your assessment process may fall into these categories:
Addressing the gaps can seem overwhelming, but I suggest identifying a small number of assets and determining the stakeholders for those assets. Ask them to come up with every “what if” question they can think of. What if the radio frequency was jammed? What if it got flooded? What if someone came driving through a wall? What if someone plugged in a USB drive? No question is off limits if it helps you figure out if your assessment adequately checks for that kind of risk. If you can’t answer the question, you’ve identified a gap. Figuring out your vulnerabilities is the only way to have a robust risk assessment.
Here is a basic process to follow for solving weaknesses in your assessment:
Ultimately, you need to acknowledge that your assessment will have gaps so that you can work to address them. Engage with your risk assessment team and request a copy of the most recent assessment. It also helps to make an effort to understand the current risk assessment process for Operational Technology within your organization and engage with vendors, contractors, and partners to understand how they are performing risk assessments. This process will hopefully lead you to develop a healthy cybersecurity posture that is continually evolving and improving.
This blog originated as a presentation delivered at the ICS Conference.
In this guide, we outline our tried and true approach, explain what happens at each step, and describe the end product.