Risk Assessments in critical infrastructure ICS

An Operators Perspective

Franky Thrasher

Senior Cybersecurity Expert

Laborelec

A contextual approach

In our findings we found available methodologies :•Focus on C.I.A. principles•Not well suited to industrial risks•Too conceptual at IT minded •Did not take into account the specific context of ICS systems

In our approach we searched for a risk assessment methodology that would:

•Address cyber security risks•Take into account the specific context of ICS systems•Help us prioritize our mitigation actions.

How to tackle Cyber Security Risk?

1. Understand what needs protection and why

2. Select a risk discovery approach that is encompassing

3. Apply quantitative/qualitative measurements

4. Benchmark measurements against industry standards

5. Identify common vulnerabilities (low hanging fruit)

6. Identify critical vulnerabilities (urgent attention)

7. Aim for high level of risk comprehension

Cyber risk methodology composition

• Should have a Model

• Should have Phases

• Should have Quantitative/Qualitative measurement

Selecting a Methodology

Security management is the protection of assets.

Thus, cyber security management is the protection of digital “computing” assets

Risk Management Metholodogy

I – Risk Definition Phase Define Scope Define boundaries

II – Risk Assessment Phase Identification Analysis Evaluation

III – Risk Decision Phase

Decision: Avoid – Reduce – Transfer - Retain Residual risk acceptance

Defining parameters

•Criticality•Security Management•Recoverability•Accessibility•Vulnerabilities

Measuring criteria: Criticality

ConfidentialityIntergrity

Availability

Primary Impact considerations

Secondary Impact

considerations

Application Criticality

Score

Loss of operational

functionality

Damage to operational

assets

Financial loss

People safety/heal

th

Environmental damage

Non-Compliance

to regulations

/ legal requirement

s

App 1Confidentiality

BreachLow Low Low

Not Applicable

Not Applicable

Low 0 9.75

Maintaining Integrity

Severe Severe Severe Low Low Significant 0

Unavailability Impact

Moderate Low SignificantNot

ApplicableNot

ApplicableModerate 0

Unavailability Allowance

0-4hrs > 48hrs 0-4hrsNot

ApplicableNot

Applicable> 48hrs 0

App 2Confidentiality

BreachNot

ApplicableNot

ApplicableNot

ApplicableNot

ApplicableNot

ApplicableNot

Applicable0 7.75

Maintaining Integrity

Significant Significant Significant LowNot

ApplicableSignificant 0

Unavailability Impact

Significant Low SignificantNot

ApplicableNot

ApplicableModerate 0

Unavailability Allowance

0-4hrs > 48hrs 4-12hrsNot

ApplicableNot

Applicable> 48hrs 0

App 3Confidentiality

BreachLow

Not Applicable

LowNot

ApplicableNot

ApplicableLow 0 4.50

Breach LowNot

ApplicableLow

Not Applicable

Not Applicable

Low 0

Unavailability Impact

ModerateNot

ApplicableSignificant

Not Applicable

Not Applicable

Low 0

Unavailability Allowance 0-4hrs Not Applicable > 48hrs Not Applicable Not Applicable > 48hrs 0

Vendor Requirements

System Criticality Level Corresponding WIB II /IEC62443-2-4 compliance level

Criticality level of 9.0 or above Gold level compliance

272 out of 272 requirements must be met

Criticality level of 7.0 through 8.99 Silver level compliance

218 out of 272 requirements must be met

Criticality level below 7.0 Bronze level compliance148 out of 272 requirements must be met

Measuring Criteria: Security Management

Roles and responsibilities (RACI)

Awareness and

training

ICS inventory managem

ent

Change Managem

ent

Incident managem

ent

Acquisition

Vendor/contractor

management

External device

management

Indentification and access

management

Risk assessmen

tScore

App 1Managed

and measurable

Repeatable -

intuitive

Managed and

measurable

Managed and

measurable

Repeatable -

intuitive

Managed and

measurable

Repeatable - intuitive

Repeatable -

intuitive

Repeatable -

intuitive

Initial/ad hoc

6.75

App 2Managed

and measurable

Repeatable -

intuitive

Managed and

measurable

Managed and

measurable

Repeatable -

intuitive

Managed and

measurable

Repeatable - intuitive

Managed and

measurable

Managed and

measurable

Initial/ad hoc

7.75

App 3Managed

and measurable

Repeatable -

intuitive

Managed and

measurable

Managed and

measurable

Repeatable -

intuitive

Managed and

measurable

Repeatable - intuitive

Repeatable -

intuitive

Defined process

Initial/ad hoc

7

App 4Repeatable - intuitive

Defined process

Defined process

Repeatable -

intuitive

Defined process

Managed and

measurable

Defined process

Repeatable -

intuitive

Defined process

Repeatable -

intuitive6.75

App 5Managed

and measurable

Repeatable -

intuitive

Managed and

measurable

Defined process

Repeatable -

intuitive

Managed and

measurable

Defined process

Managed and

measurable

Repeatable -

intuitive

Initial/ad hoc

7.25

Measuring Criteria: Security Recoverability

Spare parts manageme

nt

Application/ Software

backup

Backup frequency

Backup manageme

nt

System restore

test

Estimated system

recoverability

Redundancy

management

Contingency planning

Energy backup

management

Score

App 1Defined process

Initial/ad hoc

Managed and

measurable

Defined process

Non-existant

12 to 24hrs

Managed and

measurable

Managed and

measurable

Managed and

measurable

6.95

App 2Initial/ad

hocDefined process

Managed and

measurable

Defined process

Not Applicable

12 to 24hrs

Managed and

measurable

Defined process

Managed and

measurable

7.7

App 3Defined process

Defined process

Managed and

measurable

Defined process

Initial/ad hoc

Up to 4hrsDefined process

Defined process

Non-existant

7

Measuring Criteria: Security Accessibility

Logical accessibility Physical accessibility

Local network

connection?

Is the network

segregated?

Connection to

enterprise network?

Remote login

capability via corp

network?

Remote login

capability via other

means?

Is wireless connection used

for system?

Link to untruste

d network?

System behind

firewall?

Physical security

of perimeter

(i.e. access

control to grounds)

Physical security of local

room (i.e. server room))

Physical security

of individua

l components (i.e.

rack)

Total Score

App 1Yes/contr

olledYes/contr

olledNo No No No No

Not applicabl

e

Yes/Managed

Yes/Managed

Yes/restricted

9.2

App 2 NoNot

applicableNo No No No No

Not applicabl

e

Yes/Managed

Yes/Managed

Yes/Managed

10

App 3Yes/restric

tedYes/contr

olledNo No No No No

Not applicabl

e

Yes/controlled

Yes/controlled

Yes/restricted

8.5

Measuring Criteria: Security Vulnerabilities

OS typeSystem

hardening

System patching

Antimalware

installed

Port restriction(i.e USB)

Account privilege

management

applied?

Password

protection?

Machine loggin

and /or monitori

ng

System configurat

ion managem

ent

Environmental

protection

Access Internet

?

Access email?

System Score

App 1Defined Process

Defined process

Non-existant

Non-existant

Managed and

measurable

Defined process

Initial/ad hoc

Non-existant

Managed and

measurable

Managed and

measurable

No No 5.75

App 2Not

Applicable

Not applicabl

e

Not applicabl

e

Not applicabl

e

Not applicable

Not applicabl

e

Not applicabl

e

Not applicabl

e

Managed and

measurable

Defined process

Not applicab

le

Not applicabl

e9.85

App 3Initial/Ad

hocDefined process

Non-existant

Non-existant

Repeatable -

intuitive

Initial/ad hoc

Initial/ad hoc

Non-existant

Defined process

Repeatable -

intuitive

Not applicab

le

Not applicabl

e3.65

What to do after risk assessments ?

•Action plan?•Prioritize Systems ?•Or prioritize actions?•How ?

Return on experience 80/20 % KPI’s?

Systems Risk Assessment Maturity Scores Cyber Risk KPI

System name CriticalitySec

Management maturity

Recoverability maturity

Accessibility

maturity

Vulnerability maturity

Risk Level Target to criticality

Actual risk level score

% risk score

S M R A V

80% 80% 80% 80% 80%

App 1 9.75 6.75 6.95 9.2 5.75 7.80 7.16 73% 69% 71% 94% 59%

App 2 7.75 7.75 7.7 10 9.85 6.20 8.83 114% 100% 99% 129% 127%

App 3 4.50 7 7 8.5 3.65 3.60 6.54 145% 156% 156% 189% 81%

App 4 8.75 6.75 7 9.51 7 7.00 7.57 86% 77% 80% 109% 80%

App 5 8.25 7.25 6.85 7.53 6.9 6.60 7.13 86% 88% 83% 91% 84%

App 6 5.75 7.5 6.35 7.93 3.6 4.60 6.35 110% 130% 110% 138% 63%

App 7 6.50 7.25 3.75 8.23 3.15 5.20 5.60 86% 112% 58% 127% 48%

App 8 6.50 0 0 0 0 5.20 0.00 0% 0% 0% 0% 0%

App 9 4.75 0 0 0 0 3.80 0.00 0% 0% 0% 0% 0%

App 10 7.25 0 0 0 0 5.80 0.00 0% 0% 0% 0% 0%

Return on experience?

0.00

1.00

2.00

3.00

4.00

5.00

6.00

7.00

8.00

9.00

10.00

Criticality

Sec Management maturity

Recoverability maturityAccessibility maturity

Vulnerability maturity

Test System

App 1

App 2

App 3

App 4

App 5

App 6

App 7

App 8

App 9

App 10

Return on experience?

The true Challenge…Digital Resilience

Ensuring strategic enterprise capacity

1. Corporate/local Mandate

2. Budget capacity

3. Integration into existing processes

4. Knowledge and competence

5. Roles and responsibilities (HR defined Objectives)

6. Integration into enterprise risk methodology

7. Responsive incident management

Questions?

franky.thrasher (at) laborelec.com

18 Internal - Title of the presentation05 - 03 - 2014