The advent of communication networks within industrial environments has proven to effectively compress decision cycles, increase productivity, and has freed organizations of many resource constraints and increased safety and reliability of operations. The reliance of real-time operational data to drive business decisions has led to significantly increased physical asset connectivity within industrial environments. Over the last 20 years, this increase has opened the way for attackers to potentially compromise process functions through the very communication networks that are depended upon for control and safety. This fact has motivated security professionals to develop a plethora of security assessment frameworks, including frameworks specifically designed to identify vulnerabilities and mitigate the risk of cyber attacks within industrial control systems (ICS).
However, no single assessment framework allows industrial asset owners to scope and prioritize the most critical network assets and processes with their associated network dependencies–the failure of which would result in a loss of the ability to operate. This paper will attempt to introduce an easily applied and repeatable scoping model that will help security analysts identify starting points for cyber threat hunts, incident response planning, penetration/vulnerability assessments, and cyber security strategies for ICS environments. This is done through merging traditional IT risk methodologies with historically-proven engineering and process risk methodologies by aligning network assets to known risk metrics within operational environments. We describe this scoping model by laying out a foundational analytic framework that starts with system and functional analysis and leverages completed Process Hazard Analysis (PHA), P&ID reviews, and their associated control strategies within the industrial environment. We use the results of these analyses to steer and identify control network dependency of critical processes to systematically determine crown jewels, as would be determined by an attacker to affect system functions.
The analytic results involved within this model allow a security analyst to work from the starting point of identified risks to processes. Cyber attackers often assess the feasibility of affecting system functions in a similar fashion. Therefore, a key assumption must be made up front in this analytic process. The position of the highest impact to a system’s functional output, which can be defined as the organization’s bottom line, should be assumed when trying to determine the most impactful risk of a cyber attack.