During a recent discussion, I was asked directly about the purpose of a Cybersecurity Risk Assessment as opposed to moving directly into the implementation of security best practices by default? It was a fair question asked earnestly, and it got me thinking. Maybe I could use this opportunity to offer a perspective that others may benefit from or perhaps relate to at a minimum.
I interpret the purpose of a risk-based Cybersecurity approach to be an objective method to determine the appropriate response to specific cyber threats, with emphasis on appropriate. The identified threats are analyzed to determine the quantifiable potential of each to impact these process control systems negatively resulting in measurable consequences. This method allows us to determine what controls to implement and strategically to what level, why, where, and how. In this way, the level of positive impact on the identified risks is revealed and balanced. This approach is designed for repeatability and allows for iteration as the system, organization, and threats change over the course of the ICS lifecycle.
A follow-up question in return was, how do we determine these things? Or more specifically, how do we quantify them to achieve this balance?
We do so through a methodical approach that qualifies and quantifies consequence and likelihood of exploitation into measured risk. Once the risk is measured, we are seeking to derive an effective but commensurate response. I think most could conclude that it is undesirable to expend unnecessary and perhaps significant resources to protect system assets at a level grossly misaligned with the basis of need. So as it were, this methodical approach addresses this very issue.
If we look at consequences, they range from financial, regulatory, safety, loss of public confidence, and even legal repercussions. These consequences can be estimated and weighted, and they form a part of the risk equation. The other part is determining how vulnerable systems and assets are, and by what threat sources possessing what means could exploit the level and type of vulnerabilities identified. This part, similar to consequences, is also measurable. The result is an equation by which a security level target becomes the goal. Achievement of the goal revolves around the development of an appropriate Cybersecurity posture that is, by design, is a balanced response. Security controls are selected to provide risk mitigation through technical features like architecture design and configuration methods, through policy and procedural adaptations, or business culture changes and awareness training. But ultimately, and perhaps most importantly, selections at the right level to support the desired harmony of cost vs. benefit.
Several great frameworks provide sources of practical and structured approaches to establish a risk-based Cybersecurity plan. The essential concepts of the vast majority are in alignment with one another, at least philosophically. I highly recommend leveraging a framework and taking this approach. That said, although these sources provide the structure and guidelines that form the components of a plan, it's the ICS owners that provide the vision and authority to create momentum and Cybersecurity professionals who can provide the skills and expertise to make that vision a reality. Lay some pavement and soon a road begins to form!