Professional Documents
Culture Documents
Sectrio WP IEC 62443 RIsk Assessment Final
Sectrio WP IEC 62443 RIsk Assessment Final
P O W E R I N G R E S I L I E N C E
IEC 62443-3-2
RISK ASSESSMENT
www.sectrio.com
Utility/Usage guideline
This document is intended to offer a primer for aligning the requirements of ISA/IEC 62443-3-2 with
industrial automation control system (IACS) cyber security risk assessment. With due diligence and
analysis of security requirements, this assessment can be applied to many sectors including
manufacturing, utilities, ports, building automation and management, water treatment, healthcare,
and aviation.
This e-book can be used at the assessment design stage to plan the assessment.
ISA/IEC 62443-3-2: deals with security risk assessment, system segmentation, and Security Levels.
ISA/IEC 62443-3-2 views ICS security as a function of risk management and should consider
contextual threat impact, vulnerability exposure, and likelihood and asset value. These inputs can
guide the application of ICS security countermeasures to minimize cyber risks.
Planning an assessment
An outcome-oriented cyber security risk assessment plan involves the following:
• Deep understanding of the process and steps to identify and map vulnerabilities, threats and
potential disruptions to consequences of a cyberattack
• Ranking the risks emerging from the above
• Implementing measures to lower such risks and to keep them with acceptable thresholds
This document also intends to offer a shape, form and design to the ISA/IEC 62443-3-2-based
assessment process.
Steps:
Conduct the
Identify the Divide the Analyze initial
initial assessment;
system being system into risk level data;
determine initial
considered and zones derive security
level of risk
its boundaries level inference
exposure
www.sectrio.com 02
Focus areas for the initial assessment
The initial assessment should set the tone for the comprehensive assessment exercise that follows.
Having said that the initial assessment should be seen not merely as an enabler for the next
assessment. The initial assessment has legs of its own to stand on and if done right, the gaps
identified in this assessment can be addressed as action items on their own.
A conduit is a set of communication channels that link at least two (or more) zones that have a similar
security requirement. Segmenting the SUC into distinct zones and conduits is an essential step in the
risk assessment process. The first step for segmenting the SUC involves the identification of assets
that share security features. Segmenting networks reduces the risks associated with a cyberattack
and 3-2 recommends the following approach for segmenting the SUC
www.sectrio.com 03
Initial risk assessment template
Dataflows Specific
Connected Asset inventory
Security Perimeter associated with Target security compliance External Risk matrix
Org. identifier Assessor Segments and and related Interna risks
qualification access points each access level mandates dependencies score
zones risks
point applicable
An initial assessment can also be repeated in case the outcome is not satisfactory. Further, with more than one round of initial assessments, more
objectivity can be induced into the process. Sectrio recommends that assessment be conducted in an unbiased manner to take into account risks with
high impact and those with low impact.
www.sectrio.com 04
Establishing the risk matrix
A risk can entail many factors including the probability of an adverse event to occur leading to a loss
of life or assets, damage to the environment, data loss, or loss of production time. In order to calculate
a risk factor, the following equation can be used:
Consequences/Impact Notes/definitions
>101
1 Certain Almost certain
per year (High demand)
101 to 103
2 Likely Likely to occur
per year (Low demand)
103 to 104
3 Possible Quite possible or not unusual to occur
per year
104 to 105
4 Unlikely Conceivably possible, but very unlikely to occur
per year
<105
5 Remote So unlikely that it can be assumed it will not occur
per year
www.sectrio.com 05
Methodology
ISA/IEC 62443-3-2-based assessments should include the following assessment components:
• Identifying the SUC
• Vulnerability assessment: to be conducted at the following levels:
◦ Device vulnerabilities: conduct a security level capability assessment using the requirements
mentioned in ISA/IEC 62443-4-2. This assessment will identify gaps in the technical
capabilities of devices in the context of the security level target of the zone where these
devices are to be deployed.
◦ Check for published device vulnerabilities: existing vulnerabilities can be documented
◦ Are there gaps in the time of release of a patch and its deployment?
• Technical gaps: identify the gaps between existing technical measures and the target security
levels using the requirements mentioned in ANSI/ISA 62443-3-3
• Process gaps: Process gaps may emerge from security blind spots. If the existing processes are
not adequate from an implementation security or performance perspective, then security gaps are
bound to emerge. The existing processes and technical measures can be compared with ISA/IEC
62443-2-1 to get a complete and actionable view of the gaps. Maturity levels of the processes can
also be determined as part of this assessment. The following process can be followed to identify
process gaps:
◦ Document all technical and process measures across zones
◦ Document zone-specific measures
◦ Document all organizational measures that are necessary to support specific technical
measures.
◦ Assess each measure and document the results
• System integration gaps: when integration testing is not carried out before a device is deployed,
security issues could emerge.
• System observability gaps: gaps arising from a lack of adequate visibility into system operations
and behavior
• Network-related security issues: vulnerabilities arising out of poor network management
practices including lack of segmentation and visibility. Lack of architecture review at an initial
stage and reviews later contribute to this challenge.
• People-related vulnerability: these arise from unregulated/excess privileges, lack of training,
governance or issues arising from unmonitored insider activity.
www.sectrio.com 06
Site and impact assessments
In the case of systems where there is a risk of a kinetic attack resulting in loss of life, it is
recommended that an additional level of assessment be conducted to:
• Prioritize sites based on risk of a major cyberattack or damage
• Study and prioritize consequences
• Present level of mitigation and whether they match the level of risk exposure
• Map situations and impacts with risks
• Likely target analysis (assets, functions and systems)
www.sectrio.com 07
• How do you calculate the risk score of a security issue?
• How is the cybersecurity maturity score derived?
• What industrial standards will be considered?
• How will device-level issues be identified?
• What will be the next steps after the assessment? When will the report be shared?
• What will be the nature of the recommendations shared?
Risk exposure • Identify aspects that directly or indirectly • Validate risk exposure in an
contribute to risk exposure objective manner
• Quantify to measure risk exposure
• Identify scenarios linked to risk exposure
• Prioritize variables
• Map exposure level to consequence
www.sectrio.com 08
Assessment aspects Points to consider/Checklist What to watch out for
Risk score • Breakdown the score into as many • The approach and the scoring
quantifiable metrics as possible. Including, should be granular and
for instance, scores related to devices, objective aligned with
processes, people, situations, supply outcomes
chains, networks, threat environment etc.
• The scoring should be done in an objective
manner with less scope for bias to
influence the process
• Validate risk score by changing variables
and scenarios. Does the score remain the
same or does it vary significantly?
Zones and Conduits Characteristics that should be documented for • Clear identification of zones
zones and conduits: with data flow traceability
• Unique identifier/tag
• Physical and/or logical boundary
• Entry points (integrations, wireless, remote
access …)
• External and internal data flows within a
zone
• Assets and services
• Connected zones
• Security requirements
• Target security level
• Security policies
• Assumptions and dependencies.
Roles and • Clearly delineated roles for assessors and • Stakeholder involvment is
responsibilities participants necessary
www.sectrio.com 09
Risk assessment support and data capture tool Applicable to all Zones and Conduits
Authorization attack
Communicaton attack
DDoS
Data leak
Integrity violation
Reconissance
Malware
Social engineering
Supplier compromise
Insider activity
Process failure
Tech issue
www.sectrio.com
ABOUT SECTRIO
London Spain
Qatar
Toronto Dubai
Seattle Myanmar
Mumbai
Portugal
Malta
Denver Kuwait Hong Kong
Saudi
Ivory Coast Ghana Bangalore
Honeypot Botswana
Locations Johannesburg
Sydney
Honeypot Locations
Security operations
Sectrio is a division of Subex Digital LLP, a wholly owned subsidiary of Subex Limited. Sectrio is a
market and technology leader in the Internet of Things (IoT), Operational Technology (OT) and 5G
Cybersecurity segments. We excel in securing the most critical assets, data, networks, supply chains,
and device architectures across geographies and scale on a single platform. Sectrio today runs the
largest IoT and OT focused threat intelligence gathering facility in the world. To learn more visit:
www.sectrio.com