Risk Assessment and Gap Analysis for Industrial Control System infrastructure: the core essentials

Conducting a risk assessment and gap analysis exercise for Industrial Control System environments is important from cybersecurity, business continuity, and risk mitigation perspectives. It is important to bring the risk exposure down to acceptable levels and minimize the risk tolerance with every assessment cycle so that the overall risk sensitivity of the enterprise improves measurably.

The Essentials Industrial Risk Assessment and Gap ANALYSIS

Where to start your Risk Assessment & Gap Analysis journey?

What is the best time to start an assessment? As a matter of practice, there shouldn’t be a gap of more than 300 days between every OT/ICS & IoT risk assessment and gap analysis cycle. If 300 days have passed since you conducted your last ICS risk assessment cycle, then an assessment is due right now. A gap of 300 days gives your security team enough time to address the gaps identified in the last round and gives you sufficient time to plan the next assessment with your OT/ICS & IoT risk assessment and gap analysis vendor.

Such a time frame also overlaps between multiple procurement cycles so that the maximum number of new assets are considered and are covered in an assessment.

Planning an assessment is not just about bringing the plant and other stakeholders on board to derive a schedule. Instead, an OT/ICS & IoT risk assessment and gap analysis planning exercise should ideally have the following:

Planning an OT/ICS and IoT Risk Assessment and Gap Analysis

Put in place strategies to assess the impact of controls and remedial measures deployed after the last assessment
Identify KPIs for optimal assessment; the scope of work to be finalized with the vendor should include clearly identified success criteria to ensure that the assessment report is actionable and relevant
While the enterprise is free to suggest assessment standards, the vendor should also add standards or other inputs to improve the quality of the assessment. The important part is to ensure the suggestions are relevant and worth the investments in time and attention by the assessors and plant employees
The planning exercise should also cover a qualitative pre-assessment stakeholder interaction, site visits assessment roadmap formulation
Consider measures to determine the current and proposed Security Levels as per IEC 62443
Must provide valuable inputs for your OT Security Policy

An example from our experience of conducting OT/ICS and IoT Risk Assessment and Gap Analysis

In one of the OT/ICS risk assessment and gap analysis projects that Sectrio did recently, we covered an asset base that was spread across over 994 miles (1600 km). In this project, the planning phase itself stretched over 38 days as we had to also study the report submitted by another vendor during a previous assessment. Further, our pre-assessment teams also visited multiple sites to get a first-hand view of the infrastructure along with site-specific challenges/considerations.

Other considerations while planning a Risk Assessment and Gap Analysis:

Identifying and measuring risks, probability of manifestation
Ranking the risks as per assets, process, and infrastructure
Outlining a clear method to identify process deficiencies that may be contributing to a rise in risk exposure
Drawing the risk assessment procedure in line with IEC 62443 3-2 standard
Identifying the System(s) Under Consideration (SuC)

Focus areas for the pre-assessment phase

The initial/ pre-assessment steps should ideally set the stage for a more comprehensive and relevant assessment exercise. However, the initial assessment should be seen not merely as an enabler for the next assessment. The initial assessment has legs of its own to stand on and if done right, the gaps identified in this assessment can be addressed as action items on their own.

The following should be the focus areas for the pre-assessment phase:

Worst-case scenario after a breach: when an event happens, what could be the worst possible impact on infrastructure?
Identifying the security sensitivity and awareness levels of plant employees
Medium impact risks that could cause a compliance issue
Identifying the highest areas of risk: processes, configurations, or potential security gaps that may lead to maximum disruption
Identifying the device/zone (Target) security levels
Identifying zones and segments
Factors & inputs for an organization or a facility-level policy document

Simplifying the approach to OT/ICS and IoT Risk Assessment & Gap Analysis

Defining the system under consideration for ICS and associated networks
Segmenting the SuC into zones
Documenting the Current Achieved Security Level (SL-A)
Identifying the Capability Security Level (SL-C) for each identified zone
Determining & Documenting the steps required to attain the Target Security Level (SL-T)

Considerations for an On-site Risk Assessment and Gap Analysis

Provide all the support requested by the OT/ICS & IoT risk assessment and gap analysis vendor
Offer requested documents for review after obtaining suitable justification for the same (this could include existing ICS security policies, network architecture diagrams, etc.)
The Risk Assessment and Gap Analysis (RAGA) team should be given unhindered access to all parts of the infrastructure
At the end of each assessment day, the vendor should share an assessment progress note with the concerned stakeholders and teams
Any critical issues that have immediate security and infrastructure consequences should be flagged by the vendor for immediate action and such findings should be communicated to the relevant teams immediately on priority. Such communication should ideally not await the end of the on-site assessment

Things to watch out for

A less than diligent and studied assessment effort can tick a checklist line item but can never lead to any substantial change in the security posture of any organization.

Sectrio has engaged many enterprises where someone else had conducted the assessment but the findings were of no use to the teams or to the business. So how do you protect your business from unhelpful assessments? Here’s how:

Ask the assessment vendor to share sample assessment reports that details their approach. Study such reports to identify signs of a template at play
Some vendors just reuse a template across multiple assessments. Such templates have very less useful and actionable information and are often passed around with 0 value
In addition to templates, some assessment vendors also share reports which are as good as summaries using complex jargon and very little actionable information
Beware of assessment vendors that claim to do assessments without site visits
Vendors that do not call out the methodology and report structure along with actionable benefits should be asked to restructure the approach
At the very least, assessment vendors should consider IEC 62443 3-2 standard in detail for their assessments
Ask the vendor to share the assessment checklist along with the methodology
Question the vendor on the steps, outcomes, and KPIs
You can also ask the vendor to share information on remediation steps suggested by them in previous engagements
Ask them to outline calculation methods to determine risk exposure and residual risk

When done well, an OT/ICS & IoT Risk Assessment and Gap Analysis Exercise can turn into a helpful ally to improve your security posture.

Sectrio can help you with an OT/ICS and IoT Risk Assessment and Gap Analysis

Sectrio has extensive experience in securing enterprises across the globe using proprietary Risk Assessment and Gap analysis methodologies aligned with IEC 62443 and NIST CSF. Our assessments are decision-oriented and provide a complete picture of your security level along with clear measures to improve security levels and address any compliance mandate or security concern.

Talk to us today for more.

*** This is a Security Bloggers Network syndicated blog from Sectrio authored by Prayukth K V. Read the original post at: https://sectrio.com/blog/risk-assessment-and-gap-analysis-essentials/