© ONRIX 2018

Cyber Security Risk Assessment Approach

 Discover, Identify and Analyse

The primary concerns in an industrial process environment is the necessity to maintain component and system integrity and

ensure continuous availability. The level of security to apply (effort and budget) will depend on a number of variables linked to the

following topics (not exhaustive):

  • What is the impact criticality of systems within the facility?

  • Which type of impacts can be expected should systems not function normally?

    • Loss of operational functionality

    • Financial losses

    • Health and safety risks

    • Environmental damage risks

    • Regulatory non-compliance 

  • Are some of these systems interconnected in a other networks?

    • Corporate networks

    • Supplier networks

    • Partner networks

  • What level of risk is attributed to systems from cyber-attacks or malware infections?

  • How well are they protected from human errors?

This is accomplished through risk discovery sessions (workshops) aimed at individuals responsible for ensuring continuous reliability

and availability of digital computing systems. These workshops demand an average of 3 hours active involvement, per systems, to

extract the valuable experience and knowledge from a mix of individuals representing operations and maintenance.

Measuring

We translate the above concerns into measurable categories

to better understand their degree of vulnerability to these

systems and their recovery capability should they be disrupted.

We view the following risk management elements as key to

adopting an improved cyber security risk posture:

 

  • Identification of the criticality of the industrial computing systems and their individuals components;

  • Security management principles to ensure that procedures and human conduct are in sync with good security practices;

  • The recovery capability of computing devices and the ongoing reliability of computing systems;

  • Accessibility to systems from a combined digital and physical means;

  • Identifying existing vulnerabilities of software and hardware of computing systems in the industrial environment.

Additional benefits of the methodology allows for open communication between team members and other parties. Many security

problems stem from lack of communication and lack of clear roles and responsibilities. The risk assessment workshop provides a

method to discover these weaknesses and resolve the most important issues. The added benefits of the workshops are:

  • Resolution to location based roles and responsibilities

  • Clarification of roles and responsibilities between IT and OT

  • Compliance to corporate and local security measures for suppliers and consultants

  • Indicate where specific  technical test should be performed (technical scans and penetration testing)

  • A better understanding of the use of digital computing devices

  • A better understanding of the digital “flow” of data and information

  • A base upon which clear key performance indicators can be built

The risk assessment workshops are dedicated to extract critical individual knowledge of systems, provide cyber security

understanding and ensure a blameless shift to  commonly agreed mitigating actions.

  • LinkedIn Social Icon