To date in this series of blog posts on cybersecurity for industrial companies across the Middle East, I’ve looked, firstly, at why Chief Information Security Officers (CISOs) often have limited control over cybersecurity for operational technology (OT); and, secondly, at how to get cybersecurity governance right in an industrial business.

In this third blog, I shift the focus to how best to assess and manage the cyber risks in OT environments and complex engineering projects. And I argue that the traditional approaches for risk analysis are not appropriate to manage the cyber risks of industrial companies – meaning that new and different forms of risk assessment are needed.

Moving away from probability

To help me explain why this is the case, let me begin with some background. The traditional methodologies used for assessing risks – including cybersecurity risk – are based on the definition of scenarios (typically a threat acting on a vulnerability to cause an impact on an asset), and the assignment of the probability of occurrence of that scenario.

This probability creates the first challenge when using this approach in industrial environments: the subjectivity of the assessment. Financial institutions and insurance companies have a wealth of historical data on which to assess the probability that a particular threat may materialize, but industrial companies have been doing these types of exercises for just a few years. That means that, in most cases, the assigned probability is an estimation or educated guess that is not backed up by objective data.

The scenarios are simplifications of a complex reality, trying to strike a balance between accuracy and ease of use. Since it is impossible to model all potential scenarios, some compromises must be made to keep the risk assessment exercise practical.

During scenario modeling, it’s usual to find scenarios that could have an enormous potential impact but are extremely unlikely to happen. These are known as “black swans.” Due to their low probability, black swans are considered outliers and, as such, are usually kept out of the risk assessment. But even if they are taken into account, it can be hard to find an accurate measure of risk.



Towards a focus on impacts

Traditional risk assessment methodologies combine the level of impact of a scenario with its probability to calculate the associated risk. In the case of black swans, an extremely high impact combined with an extremely low probability will result in a medium risk.

This would make sense from a financial risk point of view, after all, it’s really only money that’s at stake. But if you look at industrial companies, there’s much more at stake than that. The potential impacts of risks here extend to the physical world, including human lives and the environment. That’s why, regardless of how low their probability appears to be, these events should be considered as part of the risk analysis.

How to do this? As I mentioned earlier, it’s not feasible to model all the potential scenarios that can generate risks. So a new approach is needed: one that’s more suited to OT environments and addresses the challenges in those environments.

From “could happen” to “will happen”

The solution lies in changing the way risk is calculated. Instead of working from the likelihood that a possible scenario might occur, we assume that an adverse event will materialize at some point in the future and will create some impact. The effect? Instead of the function being the probability of something happening and then its impact, the risk is calculated as a function of how well the organization is protected if and when that impact arises.

This change makes sense in practical terms. Modelling impacts is much easier than modelling complete scenarios. It’s possible to develop a very accurate understanding of what would be at stake in the case of something going wrong – regardless of what it actually is that goes wrong.

As a result, the focus shifts to how well-prepared the organization is to minimize the impact of an incident or disaster and achieve a prompt recovery. And the level of preparedness can be established by the definition of a target cybersecurity posture for each system.

The cybersecurity posture can be defined by describing different levels of implementation for a set of applicable security controls. The more critical the system under assessment is (the higher the potential impact), the more demanding the level of implementation for the security controls needs to be. This way, an organization’s level of preparedness can be determined through a controls effectiveness assessment.

Cybersecurity remains key – underpinned by standards

What does this impact-based approach mean for cybersecurity on engineering projects? It certainly doesn’t mean we should forget about cybersecurity measures. On the contrary, we should still be diligent about minimizing cybersecurity risks.

However, since it’s clearly impossible to determine in advance the nature of all potential cyber events, we should have measures in place to manage all the potential eventualities. The problem? In most of the cases, this is neither practical nor even possible. So, as a proxy for covering all eventualities, what’s needed is an approach based on rigorous compliance with cybersecurity standards.

Based on these standards, we would recommend that organizations create a baseline of security controls that are applicable to the environment within scope. This baseline should consider the importance of each system according to the potential impacts that an incident involving the system could cause. The outcome is a tiered approach – one where key safety systems should have the maximum level of protection that the security controls can provide, while ancillary systems that cannot cause disturbance in the physical process could be left with just basic security measures.

What’s next?

A final thought. During my career, I’ve seen many, many risk assessments for industrial control systems that used the same assets and tools as when assessing risks for a bank or retailer. The difference? With industrial controls there are lives at stake. And the way the risks are assessed should reflect that. The proposed method is not a silver bullet, it is just an alternative view on how to analyze risks that, in my opinion, has certain advantages over traditional methodologies.

As ever, if you’d like to know more, or discuss anything I’ve said, please drop me a line. I’d be delighted to hear from you. In my next blog, I’ll look at how (or if) industrial companies can use “zero trust architectures” to improve cybersecurity. Stay tuned!

Disclaimer: This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.

Ignacio Paredes

Managing Director – Technology, Cybersecurity Energy Lead, Middle East

MORE ON THIS TOPIC

OT is uncharted territory within the CISO’s remit
Cybersecurity governance in an industrial business

Subscription Center
Stay in the know with our newsletter Stay in the know with our newsletter