Attacks and Vulnerabilities
Control device security
Critical infrastructure
Features
ICS Security Framework
Industrial Cyber Attacks
ISA/IEC 62443
IT/OT Collaboration
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Risk & Compliance
Secure Remote Access
Secure-by-Design
System Design & Architecture
Threat Landscape
Vulnerabilities

Rising cybersecurity threats continue to highlight need for rigorous risk assessment across industrial sectors

June 09, 2024
Rising cybersecurity threats continue to highlight need for rigorous risk assessment across industrial sectors

Escalating cybersecurity threats and attacks have led to risk assessment emerging as a critical safety technique used by professionals to analyze processes or systems for potential risks that could lead to hazardous conditions impacting humans, machines, and materials. In industrial cybersecurity contexts, risk assessment plays a pivotal role in identifying, evaluating, and mitigating potential threats that could compromise the integrity, availability, and confidentiality of industrial control systems (ICS) and operational technology (OT). 

Given that sectors such as manufacturing, energy, and transportation are increasingly interconnected, they become more vulnerable to cyber-attacks. This interconnectedness underscores the importance of thorough risk assessments to protect these critical infrastructures. To address risk assessment effectively, a multi-step approach is typically employed. First, asset identification is essential. Organizations must undertake asset inventory of hardware and software components within their ICS and OT environments, and understand their functions and interdependencies. The step is foundational, as it highlights the critical systems and potential entry points for cyber threats.

Organizations can follow this up with threat identification covering potential adversaries and their capabilities, intentions, and methods. This includes understanding common attack vectors, such as malware, phishing, and insider threats, which could exploit vulnerabilities within the system. Vulnerability assessment follows, where known weaknesses within the ICS and OT environments are identified. This can involve scanning for outdated software, misconfigurations, and other security gaps that could be exploited by threats.

The risk analysis phase then assesses the likelihood and impact of identified threats exploiting vulnerabilities. This step often involves qualitative and quantitative methods to prioritize risks based on their potential severity. High-priority risks are those that could cause significant operational disruptions, safety hazards, or financial losses.

Mitigation strategies are then developed to address the highest risks. This can include implementing advanced security measures such as network segmentation, access controls, intrusion detection systems, and regular patch management. Additionally, employee training and awareness programs are critical to reducing human error and insider threats.

Finally, continuous monitoring and review are imperative. Cyber threats are constantly evolving, so regular updates to the risk assessment process and adaptation to new threats and vulnerabilities are necessary. Implementing an ongoing risk management framework ensures that industrial cybersecurity environments remain resilient against emerging threats. Clearly, effective risk assessment across industrial cybersecurity environments requires a comprehensive, dynamic approach that evolves with the threat landscape. By systematically identifying, analyzing, and mitigating risks, organizations can protect their critical infrastructure from cyber threats and ensure operational continuity.

Industrial Cyber reached out to industrial cybersecurity experts to understand the importance of risk assessment in industrial settings compared to other sectors. They also examined how the evolving threat landscape impacts these environments and the methods organizations use to prioritize threats during a risk assessment.

Matt Gorham, senior managing director with PwC’s Cyber & Privacy Innovation Institute
Matt Gorham, senior managing director with PwC’s Cyber & Privacy Innovation Institute

“We are going back to a geopolitical paradigm that features strategic competition, at a time when there are no consensus redlines or rules in cyber, and there is more technology for those competitors to compete with and compete on,” Matt Gorham, leader of PwC‘s Cyber and Privacy Innovation Institute, told Industrial Cyber. “This is driving a dynamic and quickly evolving threat landscape.” 

Additionally, Gorham pointed to the Jan. 31, 2024 testimony of FBI Director Christopher Wray that highlights the nature of the threat and its impact on industrial environments. “Given the threat landscape, staying abreast of the threats and the risk is an essential function. Risk assessments will provide crucial information, including (but not limited to) key attack surfaces, legacy asset base, and security posture. In addition, based on the risk assessment, one can also understand the key dependencies related to third-party vendors,” he added.

Tim Gale, director for industrial cybersecurity at 1898 & Co
Tim Gale, director for industrial cybersecurity at 1898 & Co

Tim Gale, director for industrial cybersecurity at 1898 & Co., a part of Burns & McDonnell, identified that cyber risk assessment in industrial environments is essential because of the unique nature of the equipment and processes under control. “There is no one-size-fits-all approach to industrial cybersecurity, so prioritization of controls is critical.  Evolving threats have pushed organizations to better understand their actual risk so they can quickly and efficiently deploy controls,” he added. 

The executives move on to identify the methodologies and frameworks commonly employed for risk assessment in industrial cybersecurity and highlight how these approaches differ from those used in other sectors.

Gorham identified that NIST 800-82 and IEC 62443 are some of the global standards used. “These standards focus on OT assets and industrial processes as opposed to IT security standards such as NIST SP 800-53 and ISO 27001. Frameworks for IT security standards, OT assets, and industrial processes are all essential, but focus on separate issues,” he added.

Risk assessment methodologies commonly used in industrial cybersecurity include those found in the ISA/IEC 62443 standard, or in NIST 800-30, Gale told Industrial Cyber. “These are largely influenced by the risk assessment methodology used in the process industries for Process Hazard Analysis (PHA) where a hazard is identified in a risk scenario, followed by severity and likelihood evaluation.”  

He added that other industries use methodologies like Failure Modes and Effects Analysis (FMEA) or Fault Tree Analysis (FTA). “These are more focused on individual components and specific events where PHA is a broader approach designed to cover entire systems.”

The executives explore the tools and technologies available for risk assessment in industrial environments, focusing on their integration with existing industrial systems.

Gorham said that many tools offered by OT monitoring technology vendors have seamless integration with SIEM / SOC and CMDB platforms.

“An important first step in risk assessment is understanding the environment,” Gale noted. “Automation of asset inventories and vulnerability management provides a more efficient data-gathering toolset. Care must be taken to ensure that deployment of any technology into the industrial control space is done without causing disruption of these critical control systems.”

The executives highlight the critical role of human factors in the cybersecurity risk assessment process and explore strategies to ensure employees are well informed and trained in cybersecurity best practices.

Gorham said that given that most of the key stakeholders will be from the industrial side of the business and based on the CIA triad, their focus is mainly ‘availability,’ as it is critical to make sure that risk assessment incorporates the correct messaging. “Confirming that key stakeholders understand the threats to and risks associated with both IT and OT and how they are related will allow better business decisions,” he added.

“It is critical to the success of a risk assessment to include all stakeholders in an industrial control system to obtain the optimal results,” Gale said. “The various insights and perspectives give the team a comprehensive picture of the risks involved. It’s imperative that all stakeholders are trained, not only in the practice of risk assessment but in their specific role-based involvement in a holistic security program.”

Lastly, the executives examine the key regulatory and compliance requirements affecting industrial cybersecurity risk assessments and discuss ways organizations can ensure compliance.

The compliance requirements differ based on the sectors, Gorham recognized. “For example, the auto sector has TISAX compliance while other sectors have TSA compliance. One new development is CISA’s proposed cyber critical infrastructure disclosure under CIRCIA. Companies should be thinking about how it might impact both their IT and OT programs,” he added.

“NIST, NERC, FERC, MTSA are among the numerous regulator standards that impact industrial risk assessment, but the exact requirements are vertical dependent,” Gale identified. “It’s important for all asset owners to have a comprehensive Industrial Cybersecurity Program designed to not only comply with applicable standards, but to train personnel, establish roles and responsibilities, conduct audits and risk assessments, and establish engineering standards.”

Anna Ribeiro

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
NHS updates on disruptions, potential data breach following London lab ransomware attack
NHS updates on disruptions, potential data breach following London lab ransomware attack