Cyber Risk Assessment

A successful cyber security risk assessment begins with an approach that ultimately results in defense in depth security architecture. Completing a risk assessment can uncover cyber security vulnerabilities before they become disruptive to the real-time process control and supervisory control and data acquisition (SCADA) network.


A successful cyber security risk assessment begins with an approach that ultimately results in defense in depth security architecture. Completing a risk assessment can uncover cyber security vulnerabilities before they become disruptive to the real-time process control and supervisory control and data acquisition (SCADA) network. Once identified, problems and vulnerabilities can be resolved before exploitation by hackers or others with malicious or non-malicious intent. This is especially important in critical infrastructure process control systems, as the consequence of a cyber incident may not only result in an economic or social impact to a company and community, but can have a major negative physical impact. A cyber security breach in a critical infrastructure process control or SCADA system environment may result in personal injury, downtime, property loss, or even loss of life in a worst-case scenario.

Each layer in a network should have its own protection, and protect more critical inner layers.

The objective in any risk assessment is to find potential vulnerabilities before they become incidents. The assessment process helps identify ways to maximize operational reliability and availability of the process control and SCADA environment. Creating a successful strategy requires in-depth knowledge of the security layers that play a role in protecting control systems. Each security layer of a defense in depth plan represents a category of system components that must be secured and hardened to the highest level so that each system can compensate for any inherent deficiencies in the layers below it.

The risk assessment process exposes vulnerabilities in these systems and exploits weaknesses in current defenses to show how an attack could impact a process control or SCADA network.

Start with analysis

The first step in building a defense in depth security strategy is to conduct an audit and determine the number of existing systems and integration points that exist, including a thorough review of the network architecture. Begin by asking yourself some basic questions:

  • Is the perimeter digitally or physically isolated?

  • Are corporate IT and plant control networks connected?

  • Are all open ports and firewall rules documented?

  • Are all remote and VPN access points documented?

  • Has an audit of all network devices been completed?

  • Have all switch and router configurations been audited?

  • Have all Ethernet and serial connected devices been audited?

  • Where are all of the protection points located on your process control network?

  • Is the Internet accessible from the plant network?

When complete, this review should include:

  • Network topology and connectivity points;

  • Information assets;

  • Software and hardware components; and,

  • Protocols, policies and procedures that manage the security features of the network environment.

This environment should be documented in a logical network diagram based on interviews with key staff on-site and by referencing existing network maps and diagrams. Your documentation should include security zones for each unique environment, along with the cyber security access control strategy in the process control and SCADA networks:

  • Network architecture—firewalls, VPNs, switches, and routers;

  • Host security—operating systems, servers, and workstations;

  • Application security—SCADA, emergency management systems (EMS), database, Internet; and,

  • Field devices—programmable logic controllers (PLCs), remote telemetry units (RTUs), intelligent electronic devices (IEDs), and other plant equipment.

The next step is to conduct a vulnerability assessment to assist in understanding the current vulnerabilities in the physical, IT, process control and SCADA environment. The objective is to understand all potential threats and associated risks of a cybersecurity event. Understanding all critical systems and the potential impact of cyber security events provides the basis for determining the investment required to protect this environment.

The only way to know for sure if a hacker or intruder can actually gain access into your network and/or facility is to test the vulnerabilities found in an assessment with a technique called penetration testing. This is, in effect, trying to hack into your own system. The purpose of this exercise is to use penetration tools and techniques to identify network vulnerabilities that might easily be exploited by a malicious attacker. Penetration testing activities may vary depending on the process control and SCADA network environment, but should include identifying all access points that connect to the network system, including communication interfaces, network connections, routers, switches, and any other external connection. Discovery of all vulnerabilities, including successful penetrations, should be identified.

Following the vulnerability assessment and penetration testing a summary report of the penetration test should be created that outlines the results of the attempted network infiltration.

Finish with analysis

Finally, conduct a detailed gap analysis with all parties involved to determine the impact of unauthorized access to a process control or SCADA network environment. The objective is to help to assess and compare the current level of cyber security protection against the recommended cyber security posture in the given process control or SCADA network environment. It is important to document all relevant deficiencies along with a recommendation for mitigating actions to meet all identified requirements. (An organization such as Industrial Defender can assist with the assessment process and help formulate appropriate security goals and objectives.) Each day operating with an unhardened network allows time for cyber criminals to find and exploit weaknesses.

Author Information

Todd Nicholson is chief marketing officer, Industrial Defender Inc. Reach him at .

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me