The key - strive for strategy and effective actions
Communication of risks in business terms is crucial
Not the way to appear
in the newspaper…
Provide basic tools – you will need to do more
Demonstrate and discuss use of the tools
Work through strategy definition
Discuss and suggest plans to address risks
Help you look at the issues from other perspectives
There is notably a lot of Fear, Uncertainty and Doubt (FUD) propagated about automation system cyber security.
Step back and take a look at the things you know for certain:
Your process automation system is a productivity tool and likely determines whether you can profitably make your product or not.
A lot of your company’s intellectual property is embodied in your automation system, perhaps to the point of trade secrets, etc.
ICS (Industrial Control System) as a cyber target is not an abstract “we’ll worry about it when it happens thing” any more (and maybe never was). Stuxnet, Night Dragon, etc. are harsh indicators that the ICS has been realized to be a high value target for either industrial and business or strategic political reasons.
Because of the United States’ extensive reliance on control systems and connectivity, a bad actor might see the opportunity to economically attack whereas a military attack wouldn’t be considered.
More than any other country, the US Military relies heavily on private business for products and services. Attacking those private businesses could hamper military efforts.
In some parts of the world, cyber crime can be a physical threat. Imagine having to pay a ransom to get regain full control of your system.
Current US government will to regulate cyber security is low. Current business lobbying efforts to minimize government regulations is high.
Bottom line, a lot of reasons you should consider protecting your systems, no matter how mundane or critical your product is. But don’t wait for government regulation to force you into it.
Since you are attending this session, you probably don’t need to be sold on the idea of protecting your system. But the above points might help sell it to your management if they aren’t on board.
The Simple Facts
Where do I Start?
There are a number of standards, though most are short on explicit steps to take.
If you are subject to a regulatory agency, then you probably know what you have to do, but not how.
3rd parties offer helpful services, but there are certain things that you’ll have to do yourself regardless.
They are in it for a profit. Not necessarily a bad thing, but unless you take a hands on approach they might sell you something you don’t need.
Model the effort on something you already know.
Basic Tools & Terms
Cybersecurity Risk Assessment – Terminology
Vulnerability – Flaw or Weakness that may lead to an undesired consequence
Risk – Characterization of the likelihood and severity of consequence
Risk Assessment identifies and characterizes
The Model Assess Perform Risk Assessment & Gap Analysis Establish Areas and Vectors Determine Targets Change Align Areas and Vectors to Acceptable Levels Confirm results New Security Level Maintain Periodically Assess Update Stay Current
The Model – Likelihood vs Consequence Moderate Risk High Risk Low Risk Moderate Risk Likelihood Consequence
The Model – Probability vs Impact Probability Impact 4 = Very Likely 4 = Severe Impact 3 = Likely 3 = Major Impact 2 = Not Likely 2 = Minor Impact 1 = Beyond Unlikely 1 = No Impact
The Model – Probability vs Impact Vector Probability Internet, Wireless (Open) 4 = Very Likely Internet, Wireless (Password) 3 = Likely Internet, Wireless (Authenticated) 2 = Not Likely No Outside Connection 1 = Beyond Unlikely
The Model – Probability vs Impact Impact 1 = No Impact 2 = Minor Impact 3 = Major Impact 4 = Severe Impact Public View Ok Tarnished Recoverable Lost Confidence Environmental Ok Damaged Broken Destroyed Personnel Ok First Aid, Medical Treatment Hospitalization Fatality Production No Loss Minor Loss Moderate Loss Major Loss
The Model – Risk Matrix
Risk Matrix Construction
Avoid the Urge to Overplay the Risk
Business Results Achieved
Cybersecurity Risk Assessment – Part of Business Model
Better understanding of risks
Control system is hardened against cyber attacks
More likely to get attention if using disciplined approach
We have provided a framework for Assessments
Each business has to count the cost – all are different
Feedback from participants
Anything we did not cover or you would like to ask