IACS risk assessments are a must!

The IACS Cybersecurity Risk Methodology provides a step-by-step process for organizations to help them prepare for risk assessments, conduct risk assessments and calculate risk. Decision-makers should be provided with the results of risk assessments so they can make responsive decisions regarding identified cybersecurity risks.

The steps that should be included in the risk assessment are as follows:

• Preparation for risk assessment: Identify the purpose, scope, assumptions, information sources, risk model and analysis approach for conducting the risk assessment.
• Asset profiling: Identify and value organizational assets that are related to the operational environment and measure their dependencies.
• Threat identification: Identify and analyze threat sources and events.
• Identification of existing cybersecurity controls: Identify existing controls and their protective coverage of assets and analyze their effectiveness.
• Vulnerability identification: Through various sources or testing, identify the vulnerabilities that are threatening operational/organizational assets.
• Impact analysis: Identify the consequence of vulnerability exploitation, extract the extent of damage on assets based on their dependencies, and analyze the worst-case impact of the threat events.
• Likelihood determination: Analyze the likelihood of vulnerabilities being exploited by a threat source, despite the existence of cybersecurity controls.
• Risk determination: Determine cybersecurity risks as a combination of likelihood of vulnerability exploitation and its impact to the organization.

These steps are often executed sequentially as most of their procedures depend on results from the previous steps. Figure 2 illustrates the flow of steps that are taken in a typical risk assessment and the immediate risk response activities to those steps (i.e., the activities on the right side of the figure).

The assets within the established scope should be identified and valuated, and their dependencies should be extracted.

The dependency among various assets can be different in each cybersecurity criterion. Asset dependency is one of the parameters in calculating the asset value. By accumulating the asset values, while considering the dependencies, we can calculate the value of cyber assets. As a rule of thumb, cyber assets with more dependency on them have higher asset value.

Identify potential threat events and the threat actors that could initiate the events.

The threat actors may have different levels of capabilities, which affect the likelihood of their success in potential cyber attacks. We can classify them in qualitative or semi-qualitative ways.

Threat events can be classified based on many factors, such as the attack technique, vulnerability type, effect on cyber assets, etc.

Existing and planned controls should be identified along with the assets they protect.

Existing controls should be identified to understand the span and type of cybersecurity coverage there is for assets and to avoid unnecessary work or costs. Control effectiveness should be checked to understand what kind of protection is in place.

Identify vulnerabilities that can be exploited by threat sources and the predisposing conditions that affect the likelihood of threat events that, despite existing cybersecurity controls, can cause harm to the identified assets.

Vulnerabilities can be related to asset properties and the deviation in asset use from its originally intended use.

Vulnerabilities typically appear in:

• organizational information and control systems
• processes and procedures
• management routines
• personnel
• physical environment
• network environment
• system configurations
• hardware, software or communications equipment
• cybersecurity control systems
• dependence on external parties

The consequences and potential incident scenarios of successful threat events should be identified.

The impact of a successful threat event can be permanent, temporary or can have other behaviours over time. The impact of these consequences can arise from different natures, e.g., financial, safety, environmental, reputation, etc.

The operational consequence of incident scenarios can be identified in terms of, but are not limited to:

• Environmental
• Health and safety
• Financial cost
• Regulatory enforcement
• Time lost
• Opportunity lost
• Skill lost or needs to recover
• Reputation lost

The likelihood of the incident scenarios that are identified based on the impact criteria should be calculated.

A three-step process to determine the likelihood of incident scenarios needs to be performed:

1. Analyze the likelihood that threat events will be initiated by the threat source, which could be a natural cause, a cyber attacker, etc. This may involve cost-benefit analysis from the threat source perspective.
2. Analyze the likelihood of the threat event happening and causing different incident scenarios, despite the existence of cybersecurity controls.
3. Analyze the likelihood of incident scenarios successfully causing the impact that is identified in the impact criteria.

Determine cybersecurity risks from threat events, while considering the impact and likelihood of the events.

Using the values assigned to the likelihood and impact of an incident scenario, the risk assessment assigns value to the identified risk, which has a place on the risk matrix. Each estimated risk is a combination of one or multiple incident scenarios, their likelihood and impact. Some related minor risks can be aggregated to form fewer major risks.

Conclusion

An IACS cybersecurity risk assessment indicates the status of risks to the operational environment at the time of the assessment. In order to have up-to-date visibility over the current risk posture of the environment, the organization should perform risk assessments on a regular basis and when a major change occurs, throughout the risk management life cycle, and across all organizational tiers.