High-level risk assessment for cybersecurity
A high-level risk assessment is the starting point of an industrial cybersecurity risk assessment in compliance with the cybersecurity lifecycle defined by the international standard IEC 62443 for OT Security.
Across a complete IEC 62443 risk assessment, the High Level Risk Assessment is performed to determine the potential consequences in the event that a plant/system is compromised by a cyber attack. High-level risk assessment helps identify the most critical areas inside a plant, where it is requested to perform adequate mitigation actions. In terms of high-level risk assessment, cyber attacks are usually analyzed by simulating their success, i.e. the potential violation of a control system, and by focusing on the severity of the damage. IEC 62443 risk assessment must be understood as a means for estimating the risks related to operational technology (OT) cybersecurity, once the top management has defined the most critical consequences for its business. This is what the IEC 62443 standard names Business Rationale.
Then, the high-level risk assessment is deepened by a detailed analysis (low-level risk assessment), which takes into consideration those specific vulnerabilities of systems that need to be analyzed, and specifically, the most considerable parts of the infrastructure, in terms of the most serious consequences.
The calculation of high-level cyber risk is based on the following formula:
Risk = 〖Threat〗 Potential x 〖Probability] (Event Happens〗 x 〖Consequences〗 Event
The probability that the event happens must be determined by considering a specific asset and its attractiveness, i.e. how profitable an asset is in economic terms if attacked.
At this stage, it is important to weigh the consequences in order to quantify the cyber risks. High Level Risk Assessment simply considers the event as probable, without going into detail on what countermeasures are already in place or what vulnerabilities are present. In other words, for each asset, we answer this question: in the event that a specific asset is successfully attacked, what is the worst consequence my business will suffer?
Industrial cybersecurity risk assessment is an analysis intended for the top management, for this reason, consequences are considered in economic terms. The purpose of this analysis is not to establish in detail what damage and what consequences derive from a cyber attack on the industrial system, nor what type of countermeasures must be implemented; high-level risk assessment simply allows us to summarily quantify which risks are connected to OT cybersecurity and still, summarily, what weight these risks assume. In this sense, the parameter that best quantifies the damage is the economic one.
Technical standards for high-level risk assessment
The following table shows the technical standards within the IEC 62443 standard applicable to the high-level risk assessment:
IEC 62443 suggests the guideline for understanding requirements and models for setting up a risk analysis in accordance with the cybersecurity lifecycle, which starts from the macroscopic assessment of the impact of a cyberattack on an industrial control system. As mentioned, the high-level risk assessment starts with the evaluation of business rationale.
What is business rationale
Within any organization, the road to developing an effective industrial cybersecurity risk Assessment begins with the top management becoming aware of the technical, commercial, and branding damages deriving from suffering a cyber attack. Business rationale is a high-level description of the possible consequences of a cyber attack addressed to the most sensitive corporate assets. By starting from the assessment of this kind of consequence, we will plan the next actions aimed at the implementation of a cybersecurity management system (CSMS) in compliance with the IEC 62443 standard.
In the following example of business rationale, we examine a few of the most considerable consequences of a cyber attack:
- Business continuity. The attack on an infrastructure involves the shutdown of the plant connected to the infrastructure for a long. The consequence of the shutdown of the plant can be examined on different levels: at a system level or at the level of any other systems belonging to the same plant which interact with the main one. In this case, the damage of a plant shutdown must be assessed in terms of loss of production.
- Safety. Threats that can lead to the alteration or inhibition of safety functions present on machines, systems, or environments and whose safety automation is implemented by means of safety PLC where the exchange of signals occurs through network connections. This kind of threat could lead to injury or accidents. Even in this case, the assessment is carried out on several levels, in terms of impact on the internal staff or on external staff.
- Environment. When equipment intended for the production and control of hazardous emissions is attacked and manipulated, the risk of hazardous environmental emissions must be evaluated similarly to the safety aspect (see the previous point).
Business rationale helps define the critical consequences and thresholds to be taken into account along the high-level risk assessment and the weight that each consequence represents for a company. The table below presents an example of business rationale.
Cybersecurity risk assessment proposal
As mentioned, the first step for developing an OT cybersecurity plan is the macroscopic estimation of the risk deriving from a cyber attack, which is articulated into four phases.
- Inspection/conference call for the survey of preliminary information, where we investigate the main properties of the network architecture
- Definition of business rationale; this phase involves the discussion of all possible consequences of an attack and the estimation of damages
- High-level risk assessment (preliminary), aimed at highlighting the results of business rationale
- High-level risk assessment (final), where we complete the analysis by providing all the information needed for managing cybersecurity processes. In this way, the internal personnel will be able to deal with cybersecurity issues, such as random cyber incidents (i.e. ransomware or DDoS), or damages caused by the human factor (social engineering), etc.
This work is the fundamental and preparatory starting point for the next actions, which have the final aim of establishing the mitigation measures addressed to industrial control systems.
– This article originally appeared on H-ON Consulting’s website. H-ON Consulting is a CFE Media content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.