Operational Risk, It's Not a Board Game

Increasingly, Industrial and Operational Technology (OT) security has been making headlines over the last few years. Whether it’s about the hacking of Iranian nuclear facilities, unleashing destructive malware into OT systems like the recent Triton incidents, or leveraging vulnerabilities in Safety Instrument Systems (SIS), OT cyber incidents have the potential to breach the digital world and result in real life physical consequences. However, due to the historically proprietary natures of these systems and the focus on the safety and availability, security is often the last consideration for most of these systems. Many common practices leveraged by IT security groups are almost non-existent in OT environments, including one of the most basic—risk assessment.

Why Risk Assessment?

Risk Assessments are meant to be part of a continuous process to evaluate the current security state of the OT environment. While there are many frameworks, best practices and tools which a company may choose from, it is important that this process be comprehensive and include certain key elements relevant to OT. Risk assessments are meant to highlight some of the key deficiencies of an organization and allow them to prioritize areas of focus as their OT security program matures. Many OT organizations often find themselves in a less mature state initially, but by performing a repeatable risk assessment methodology they can often quantify and eventually qualify the effectiveness of their OT security program.

Where to Start?

There are several key elements that should be included when conducting an OT risk assessment. In many cases, organizations may rely on outside consultants and regulatory requirements, or leverage internal IT resources for their initial risk assessment, but that program should include the following key elements:

  • Definition of Security Policies, Programs and Procedures: Having a framework or security policy, program, or procedure can form a starting point of many risk assessments. These may be adapted from existing documentation, be simple or complex, and incomplete but they serve as a starting point. These documents also help identify the direction for OT security, even if technology and tools may not yet be in place.
  • Asset Management Program: Having a current and accurate inventory of assets in the OT environment helps an organization understand exactly what it needs to protect. For many organizations this may be a manual process, but asset management will soon become an automated process.
  • Identifying Blind Spots: Not only should an organization identify what assets exist in an environment, areas where little to no visibility should also be considered when evaluating risk. In some cases, organizations may have to decide which is more important: the risk of not knowing versus the risk of deploying tools or technologies into their OT environment.
  • Identification of Tools and Technologies: As priorities, assets and blind spots are defined, organizations should identify potential tools that can help them meet those requirements. At first this may be general tools, such as log aggregation or SIEM; however, as maturity improves, specific tools and technologies should be chosen to address organizational requirements. It is important to periodically assess how those tools are being utilized versus what is defined in the security programs.
  • People are Essential: While risk assessments can help identify the key elements already discussed, the right people are essential when creating a proper risk assessment. Experts and stakeholders should be included when conducting a risk assessment. These experts and stakeholders help everyone understand what the potential risk is to people, the environment, equipment, and revenue for a company.  Experts and stakeholders should come from both OT and IT environments, especially when one group relies supports or is interconnected with the other (e.g. a DMZ).

Where Can I Learn More?

Our "Assessing Security Risk in Industrial/OT Environments" e-book provides guidance of key elements that should be part of the risk assessment process and can help OT groups begin their journey towards a more mature and secure OT environment.

Chris Duffey

Posted by