ICS Cybersecurity Risk Assessment

← All Posts   

Introduction

ICS are connected to computer networks, which in turn are connected to the internet and are
employed to control equipment and safeguard people, plant and environment. This arrangement
creates the need for cybersecurity risk assessments with the objective of recording the possible
business impacts of a successful cyber-attack against ICS, ensuring threat vectors are identified and
understood and countermeasures are considered.

Unlike cybersecurity incidents on IT systems, which tend to result almost exclusively in economic
consequences, OT cybersecurity incidents can create a number of potential consequences. This
directly depends on the objectives of the attacker—like process impacts to safety, the environment,
and business risk. However, organization’s risk matrix should be modified to consider other impacts
such as reputational damage or loss of intellectual property/ competitive advantage.
The objective of cybersecurity risk assessment is to evaluate attack scenarios, to determine security
level targets and to provide cost‐benefit information to justify the investment in security
countermeasures. In order to conduct risk assessment, information like zone and conduit drawings,
cybersecurity policies and procedures, corporate risk criteria, inventory of cyber assets
manufacturer (i.e., device) cybersecurity manuals, and lists of third-party connections etc. are
required.

Cybersecurity Risk
Cybersecurity risk is concerned with intentional or unintentional interference with the potential to
compromise ICS by means of computer connected systems. Today, we have come to a point where
cyber risk assessments are considered an essential activity in any project similar to safety risk
assessments.

Many different approaches for conducting cyber risk assessments have been provided in
international standards such as IEC 62443. Likelihood of a cybersecurity event can be a malicious
attack (intentional) or an operator error (unintentional), and is the product of threats, vulnerabilities
and target attractiveness. Consequence severity of a cybersecurity incident is dependent on the
inherent characteristics of the target (e.g., quantity of hazardous chemicals, type of hazardous
chemicals), objective of the attacker, and the components of the process control system that are
compromised.

Understanding how the consequence, type of threat, attractiveness of the target, and number of
vulnerabilities affects the likelihood of a cybersecurity attack is a key step in performing
cybersecurity risk assessment.

Why We Need Cyber Risk Assessment

Examples from many previous cybersecurity attacks demonstrate that both insider and outsider
cybersecurity risks have the potential to significantly impact both the continued operations and
safety of ICS. A cyberattack does not need to initiate an event directly; rather, they can disable a
protective measure and wait for an initiating event to occur.

For example, an ICS like Safety Instrumented System (SIS) which is designed to prevent or mitigate
the consequences of a hazard scenario due to initiating events like Distributed Control System (DCS)
failure stand by passively until a specific process deviation occurs and then take action.

Cyber-attacks on SIS need not be sophisticated like we saw during TRITON / TRISIS, and by simply
changing an interlock trip point or placing an interlock in bypass can cause a process upset to
propagate into a high consequence loss of containment event with safety, environmental and
financial implications.

1.) Identify the System Under Consideration and select Zone / Conduit
The first step is to identify System Under Consideration (SUC) or the scope of the assessment to
clearly define which systems are being reviewed. Zone and conduit diagrams provides the basis for
grouping the assets into zones and evaluating the security requirements for assets based on the
network segmentation strategy.

Once a zone or conduit has been selected for review, the assets within the zone should be evaluated
as cybersecurity nodes to consider the impact of a cybersecurity threat on each asset within the
zone.

2.) System Screening

Screening is performed based on degree of programmability, use of Removable Media or Portable

Computers, Connectivity to other OT networks (e.g. L1 serial links, L3 Personal Communications,
Network (PCN) or L3.5 Process Control Access Domain (PCAD)) and Connectivity to non-OT
networks (e.g. L4 Corporate, virtual private network (VPN) or Internet connections).

Once the scope is clearly defined, a specific device is selected for further analysis which could be
engineering workstations, operator workstations, programmable logic controllers, servers and
network equipment.

3.) Determine the Worst-Case Consequence

Evaluate what possible events could occur if system function is lost. For example, a system is
powered off for a period of five days—or even compromised leading to a skilled, knowledgeable,
motivated attacker having full administrative access to the system.

The severity of the consequence is determined for each applicable type of criteria (e.g., safety,
environmental, financial) based on the consequence without considering any countermeasures i,e.
assuming all non-mechanical countermeasure devices failed (e.g., firewalls, anti-virus scanning).
Below is an example of consequence matrix:
4.) Determine and Record the Threat Vectors & Likelihood
There are many threat vectors that threat agents can exploit. These can range from introducing
malware via a USB port, adding an unauthorized wireless access point and attaching an unauthorized
computer to a network, to connecting control networks with business or other networks, and many
others.

This is the step where we document the various pathways by which a threat could reach the OT
system—like direct physical access to a system (includes access to system consoles, network devices,
cabling, removable media, portable computers, asset disposal) or remote access via hardwired
network connections to other IT/OT systems (includes copper/fiber network connections, serial
links, VPNs).

Each of the threat vectors is drawn on the network architecture diagram, and initiating event
likelihood is recorded. The threat likelihood is defined considering the threat source, level of skill
required and pathway only. At this stage, the unmitigated system risk is being assessed—so risk
reduction from countermeasures is not considered.

5.) Identify and Record the Countermeasures & Determine the Security Target Level
The consequence severity and frequency or likelihood rankings based on the organization’s
corporate risk criteria determine whether there is any risk tolerance gap and define the Security
Level Target for the OT system.

NR in the below table implies that security level is not required or defined for that zone or system.
IEC 62443 has defined five security level grades, ranging from 0 to 4, with SL 0 identified as the
minimum level of risk and SL 4 as the maximum or ‘most vulnerable’ level and requires more
significant countermeasures.
For each threat vector, the following risk details are documented and countermeasures are identified
to decrease the likelihood of the attack being successful or reduce the severity of the consequence.

Unmitigated risk combines the dominant risk category with the initiating event likelihood.
From the risk matrix table, if the consequence rating of a system is 3 and frequency is E, then
the Target Security Level of that system i,e. SL-T will be 2, or LOPA gap is 2 or 2 independent
countermeasures to be designed for different threat vectors.

Inherent Security Risk is the risk left after taking credits of the countermeasures which are
inherent in the design like DCS, SIS, PSV or enabling events like time at risk and conditional
modifiers like ignition sources and occupancy, etc. These countermeasures may apply only to
certain risk categories (e.g., occupancy only reduces likelihood for the H&S risk category)— this
may change the dominant risk category to be used.

If we have a system which is compromised but there is another independent system like Plant
SIS which can prevent the hazardous consequence, then we can take 1 credit so Inherent Risk in
the above example reduces by 1 factor or LOPA gap is 1.

Tolerable Security Risk is the risk left after taking credits of the preventive countermeasures
added externally like firewalls, unidirectional gateway/data diode, access control, system
hardening, encryption, or mitigative countermeasures like intrusion detection/prevention,
administrative procedures, cybersecurity alarms, and security operations like Centre. As per
table 5, we had inherent security risk of 1, and if we add a firewall in network design and take
this credit—then LOPA gap becomes 0.

6.) Determine if the Tolerable Risk Criteria are Met

For each device, the current risk ranking is reviewed to determine if it is tolerable and devices
determined to have minimal risk would not require further investigation. Whereas devices with
significant and severe risks would require additional treatment to reduce risk further like redesign
the network architecture to eliminate threat vectors or reduce the initiating event likelihoods of
existing threat vectors or modify the process/equipment or operational mode. The security level
targets can be used to group assets into zones based on cybersecurity criticality and support the
determination of network segmentation.
Conclusion
Accurately assessing cybersecurity risk poses a number of unique challenges. Adopting commonly
used process safety techniques and calibrating them for cybersecurity studies can help to provide
consistent risk assessment scenarios, and reduce the necessary development time for the
cybersecurity risk identification and analysis method.

Strategies to mitigate cybersecurity risks will require continual assessment and the implementation
of comprehensive standards like IEC 62443 that provides the necessary guidance.

Identifying potential cybersecurity hazards and estimating risk can be a difficult undertaking for OT
systems. This is due to a number of factors including misconceptions about cybersecurity as it
relates to the process industry, limited industry databases on cybersecurity events, rapidly changing
technology and continually evolving threat landscape.

Useful Acronyms
DCS – Distributed Control System
H&S – Health & Safety
ICS – Industrial Control System
IEC – International Electrotechnical Commission
LOPA – Layers of Protection Analysis
OT – Operations Technology
PCAD – Process Control Access Domain
PCN – Process Control Network
PSV – Pressure Safety Valve
SIS – Safety Instrumented System
SL-T – Target Security Level
SUC – System Under Consideration
VPN – Virtual Private Network
 Nikhil Kapoor

Nikhil Kapoor has more than 13 years of industrial experience in conceptual design and
engineering of projects in the hydrocarbon industry like refinery, petrochemical, LNG, and
transition energy. At present he is working as a Lead Engineer in Bechtel India Pvt. Ltd. He
is a certified Automation Professional (ISA-CAP), Functional Safety Professional (CFSP),
Automation Cybersecurity Specialist (CACS), and Charted Professional Engineer (CPENG).

Leave a Comment
First Name

Last Name

Email

Website

Comment
 Submit Comment

Subscribe and Get The Latest News

Please enter your email

Subscribe

Related Posts

Guiding Your Secure Development Lifecycle Journey with

Frameworks and Standards
From baby monitors to nations' electrical grids, we find ourselves suddenly more
vulnerable than ever bef...
 Robert Lembree and Kevin Staggs

Presenting IT and OT Cybersecurity Strategy to Executives/Board of

Directors
This blog post will be in continuation to the ninth edition of the Securing Things
newsletter - Digital T...

 Muhammad Yousuf Faisal

Role of Data Diodes in the Evolving Landscape of OT Cybersecurity

Technology is evolving at such an enormous pace in this era that it often becomes
challenging to balance ...

 Muhammad Ahmed
 The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world
through automation. ISA advances technical competence by connecting the automation community to achieve operational
excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual
careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and
training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development
programs for its members and customers around the world.

The material and information contained on this website is for general information purposes only. ISA blog posts may be authored
by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their
own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    
We're on social media. Keep in touch!

© 2022 International Society of Automation. All rights reserved.