ICS (Industrial Control System) as a cyber target is not an abstract “we’ll worry about it when it happens thing” any more (and maybe never was). Stuxnet, Night Dragon, etc. are harsh indicators that the ICS has been realized to be a high value target for either industrial and business or strategic political reasons.
Because of the United States’ extensive reliance on control systems and connectivity, a bad actor might see the opportunity to economically attack whereas a military attack wouldn’t be considered.
Vulnerability – Flaw or Weakness that may lead to an undesired consequence
Risk – Characterization of the likelihood and severity of consequence
Risk Assessment identifies and characterizes
The Model Assess Perform Risk Assessment & Gap Analysis Establish Areas and Vectors Determine Targets Change Align Areas and Vectors to Acceptable Levels Confirm results New Security Level Maintain Periodically Assess Update Stay Current
The Model – Likelihood vs Consequence Moderate Risk High Risk Low Risk Moderate Risk Likelihood Consequence
The Model – Probability vs Impact Probability Impact 4 = Very Likely 4 = Severe Impact 3 = Likely 3 = Major Impact 2 = Not Likely 2 = Minor Impact 1 = Beyond Unlikely 1 = No Impact
The Model – Probability vs Impact Vector Probability Internet, Wireless (Open) 4 = Very Likely Internet, Wireless (Password) 3 = Likely Internet, Wireless (Authenticated) 2 = Not Likely No Outside Connection 1 = Beyond Unlikely
The Model – Probability vs Impact Impact 1 = No Impact 2 = Minor Impact 3 = Major Impact 4 = Severe Impact Public View Ok Tarnished Recoverable Lost Confidence Environmental Ok Damaged Broken Destroyed Personnel Ok First Aid, Medical Treatment Hospitalization Fatality Production No Loss Minor Loss Moderate Loss Major Loss