Use the Seven-Step OT Risk Assessment

Summary

A system controlling the fabrication of integrated circuits stopped abruptly during routine operations, destroying wafers worth $50,000. Another robot randomly swung its heavy metal arm around 180 degrees into an employee walkway. These were only accidents—imagine what a bad actor can orchestrate. To accurately decide which cyber defenses you need for optimum protection, it’s important to first take a look at your risk within operational technology (OT) environments. Which devices are most vulnerable? What are the attack surfaces?

Gartner recently punctuated the wake-up call that connecting assets to the internet also opens the door to ransomware, trojans, worms, and other nasty malware assaults. In the Market Guide for Operational Technology Security, Gartner identified the “Oh Wow!” moment—a polite term for the instant one realizes that failing to invest in modern cybersecurity is creating a self-inflicted threat. The moment a ransom demand arrives, it is already too late. What will be attacked next?

Users have a choice. Forego this scenario and combat the hacks by evaluating threats using this seven-step OT zero trust risk assessment toolkit.

Step 1: Take an inventory of OT assets

It seems simple, but without a comprehensive understanding of your machines, how do you know what’s at risk and needs protection (Figure 1)? Consider using tools that help streamline this process, such as portable security devices or endpoint applications that automatically inspect and inventory all types of OT devices from legacy, to modern, to air gapped.

Step 2: Evaluate OT security needs and tolerance

Remember that lessons learned from information technology (IT) may not apply to OT. IT cybersecurity assessments revolve around the CIA triad: confidentiality, integrity, and availability. Because IT systems are often used for company information, the highest priority is confidentiality. The opposite is needed for OT (Table 1). Machines work all day, every day, 24 hours per day. Productivity is key. Safety is critical. Availability is the priority.

Step 3: Assess threats

Hackers are constantly researching targets, developing or downloading hacking tools, looking for security holes, and attacking. Malware travels through networks disguised as regular traffic. Personnel walking onsite often carry hidden cyber threats within their laptops and USB drives. Each type of attack has a different threat level, and attackers often mix and match attacks.

Threat actors range from so-called “script kiddie” amateurs to state-employed professional hackers. Most corporate threats begin with threat actors dedicated to the field of cybercrime or cyber espionage who would like to use ransomware to extract payments. Professional threat actors work collaboratively as advanced persistent threat (APT) groups, which are the professionals of the cybercrime industry.

Researchers ranked the most common types of cyber-attacks unique to an industrial control system (ICS) (Table 2).

Step 4: Analyze risks

Operational technology functions in the physical world. The key difference between OT and IT cyber-attacks are the safety consequences:

• Safety of your team and your community
• Safety of your property
• Environmental safety

When evaluating risks, consider what damage could occur if your sensors or actuators are hijacked (Figure 2). Think about what happens when an attack propagates through connected systems. If your digital controllers stop functioning, what happens to your non-digital assets? When setting risk thresholds, safety considerations are critical.

OT zero trust risk analysis allows users to identify the most important risks so they can focus their budget and their team on responding to the most critical threats first. When a threat is identified, consider these questions:

• Which systems are vulnerable to the threat?
• What is the harm; i.e., can this threat attack my command controllers or other digital equipment
• What are the physical ramifications of the threat?
• What if the threat cascades locally or beyond?

While investigating whether a threat should be added to your risk assessment, consider using the MITRE ATT&CK matrix to understand the details of the threat. This is a curated knowledge base for cyber threats against OT, whereby researchers have investigated common attack strategies for assets and systems that are routinely targeted.

Step 5: Prioritize risks

The goal of a risk assessment is to understand and quantify threats so you can prioritize and deploy your cyber defenses where and when they are needed. You can use this to evaluate protections for safeguarding a single asset or your entire factory floor. We suggest adding risk scenarios to the threat assessment from Step 3 and the risk analysis from Step 4 to help with this.

To systematically rank and prioritize, assign a value to each risk vector. We use a 0 to 10 scale, but choose the quantification scheme that best reflects your situation and risk tolerance:

• Vulnerability severity: On a scale of 0 to 10, if this threat occurred, how severe would the damage be?
• Asset criticality: On a scale of 0 to 10, how important is this asset?
• Likelihood: On a scale of 0 to 10, how likely could the threat occur in your facility?
• Impact: On a scale of 0 to 10, what is the impact on productivity?
• Detectability: On a scale of 10 to 0, how will you know that you are under attack?

Compared to other scores, detectability scores are reversed. A low detection score is 10, meaning that you are more vulnerable because you cannot defend against what you don’t know about. To calculate the risk ranking, or risk priority, put the numbers from each risk vector into the following formula:

Priority = [severity + (criticality x 2) + (likelihood x 2) + (impact x 2) + (detectability x 2)] / 5

High-priority risks will be those with a risk ranking of 18 to 12. Medium risks are ranked from 12 to 6, and low risks have priority rankings under 6.

To quickly see which cyber defenses you need, sort by risk priority. You may even want to color-code your risk assessment (Table 3). In this example, Risk 1. Denial of control has the highest priority. The vulnerability is severe, and the asset is critical. The likelihood this may occur is medium, but if it does, the impact is high. It might or might not be easy to detect. Red color coding is used to show high severity.

Step 6: Monitor risks

Now that you have a good understanding of your risk priorities and what needs to be protected, you can find the solutions that best serve your needs to monitor and protect your OT network.

The four cornerstones of OT zero trust support continuous monitoring of your systems. We recommend ensuring that your OT strategy and tools cover each of the following cornerstones:

Inspect assets, take inventory, and destroy supply chain malware using portable security devices. These devices do not interrupt production so you can scan legacy and air-gapped assets, as well as perform routine or surprise inspections.

Lockdown assets by determining your trust policies so OT zero trust can enforce them. Your assets are armed with monitors that discern the situation and take the best course of action depending on what’s happening at any given time.

Segment your network into zero-trust zones and only allow trusted messages from trusted devices to enter a zone. Once inside, only trustworthy messages can be sent outside.

Reinforce cybersecurity by using endpoint protection with machinelearning threat intelligence and virtual patching to reduce risks.

Continually monitor your systems, assess threats, and activate your risk responses if needed. It is helpful to have all security devices report in real time to one cybersecurity defense console.

Step 7: Response to cyber incidents

Risk thresholds are unique to every company. For each risk you identify, you decide what response meets your comfort level. Risk responses are generally grouped into these categories:

• avoiding
• transferring
• sharing
• mitigating
• accepting the risk

The most important feature of any risk response is the ability of your system or your team to execute the response and stop the attack. OT zero trust locks down assets and monitors network traffic using trust lists that stop most attacks before they start.

ARM your organization with OT zero trust

While there is no guarantee of a risk-free world, this seven-step OT risk assessment is based on years of experience by industry leaders who have documented their findings in NIST and other standards, along with researchers who are solely dedicated to finding better ways to protect your operational technology.

To quickly review the seven steps:

1. Take inventory of your assets: OT zero trust-based portable security devices automatically inventory every asset during an inspection, making it easy to confirm the defensive status of standalone assets, newly arrived onboarding assets, and any devices brought onto the work site.

2. Develop a security plan to protect your assets: Understand the needs and priorities of your OT environment and your unique tolerance for the unexpected to inform your cybersecurity plan.

3. Assess threats: OT zero trust-based threat intelligence is always working for you, finding new trends that detect and prevent malware from lurking in the shadows of your systems and network.

4. Analyze risks to understand what is at stake: OT zero trust matches up protections with your assets to put dependable, easily maintained defenses in place before your network gets hit and your assets are in danger.

5. Prioritize risks: Quantifying risks gives you a powerful weapon to prioritize and justify your budget for cyber defenses.

6. Monitor risks: OT zero trust is a valued technology partner following your lead using your criteria to carry out the critical mission of tackling the 24x7x365 challenge of safeguarding your systems.

7. Respond to cyber incidents: Forego the “Oh Wow!” chaos and prepare your team and your cyber defenses to respond with an OT zero trust methodology.

Using OT zero trust, ARM yourself with a tried-and-true process that is summarized in the NIST Guide to Industrial Control Systems (ICS) Security: continually Assess risks, Respond to threats, and Monitor vulnerabilities.

_{This feature originally appeared in AUTOMATION 2022 Volume 4: Cybersecurity & Connectivity.}