Towards a focus on impacts
Traditional risk assessment methodologies combine the level of impact of a scenario with its probability to calculate the associated risk. In the case of black swans, an extremely high impact combined with an extremely low probability will result in a medium risk.
This would make sense from a financial risk point of view, after all, it’s really only money that’s at stake. But if you look at industrial companies, there’s much more at stake than that. The potential impacts of risks here extend to the physical world, including human lives and the environment. That’s why, regardless of how low their probability appears to be, these events should be considered as part of the risk analysis.
How to do this? As I mentioned earlier, it’s not feasible to model all the potential scenarios that can generate risks. So a new approach is needed: one that’s more suited to OT environments and addresses the challenges in those environments.
From “could happen” to “will happen”
The solution lies in changing the way risk is calculated. Instead of working from the likelihood that a possible scenario might occur, we assume that an adverse event will materialize at some point in the future and will create some impact. The effect? Instead of the function being the probability of something happening and then its impact, the risk is calculated as a function of how well the organization is protected if and when that impact arises.
This change makes sense in practical terms. Modelling impacts is much easier than modelling complete scenarios. It’s possible to develop a very accurate understanding of what would be at stake in the case of something going wrong – regardless of what it actually is that goes wrong.
As a result, the focus shifts to how well-prepared the organization is to minimize the impact of an incident or disaster and achieve a prompt recovery. And the level of preparedness can be established by the definition of a target cybersecurity posture for each system.
The cybersecurity posture can be defined by describing different levels of implementation for a set of applicable security controls. The more critical the system under assessment is (the higher the potential impact), the more demanding the level of implementation for the security controls needs to be. This way, an organization’s level of preparedness can be determined through a controls effectiveness assessment.
Cybersecurity remains key – underpinned by standards
What does this impact-based approach mean for cybersecurity on engineering projects? It certainly doesn’t mean we should forget about cybersecurity measures. On the contrary, we should still be diligent about minimizing cybersecurity risks.
However, since it’s clearly impossible to determine in advance the nature of all potential cyber events, we should have measures in place to manage all the potential eventualities. The problem? In most of the cases, this is neither practical nor even possible. So, as a proxy for covering all eventualities, what’s needed is an approach based on rigorous compliance with cybersecurity standards.
Based on these standards, we would recommend that organizations create a baseline of security controls that are applicable to the environment within scope. This baseline should consider the importance of each system according to the potential impacts that an incident involving the system could cause. The outcome is a tiered approach – one where key safety systems should have the maximum level of protection that the security controls can provide, while ancillary systems that cannot cause disturbance in the physical process could be left with just basic security measures.
A final thought. During my career, I’ve seen many, many risk assessments for industrial control systems that used the same assets and tools as when assessing risks for a bank or retailer. The difference? With industrial controls there are lives at stake. And the way the risks are assessed should reflect that. The proposed method is not a silver bullet, it is just an alternative view on how to analyze risks that, in my opinion, has certain advantages over traditional methodologies.
As ever, if you’d like to know more, or discuss anything I’ve said, please drop me a line. I’d be delighted to hear from you. In my next blog, I’ll look at how (or if) industrial companies can use “zero trust architectures” to improve cybersecurity. Stay tuned!
Disclaimer: This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.