Improving OT Defense and Response with Consequence-Driven ICS Cybersecurity Scoping
The advent of communication networks within industrial environments has proven to effectively compress decision cycles, increase productivity, freed organizations of many resource constraints, and increased safety and reliability of operations, and the emphasis on real-time operational data to drive business decisions has led to significantly increased physical asset connectivity within industrial environments. Over the last 20 years, this trend has opened the way for attackers to compromise process functions through the very communication networks that are depended upon for control and safety. This fact has motivated security professionals to develop a plethora of security assessment frameworks, including frameworks specifically designed to identify vulnerabilities and mitigate the risk of cyber attacks within industrial control systems (ICS).
However, no single assessment framework allows industrial asset owners to scope and prioritize the most critical network assets and processes with their associated network dependencies–the failure of which would result in a loss of the ability to operate. This paper will attempt to introduce an easily applied and repeatable scoping model that will help security analysts identify starting points for cyber threat hunts, incident response planning, penetration/vulnerability assessments, and cyber security strategies for ICS environments. This is done through merging traditional IT risk methodologies with historically proven engineering and process risk methodologies by aligning network assets to known risk metrics within operational environments. We describe this scoping model by laying out a foundational analytic framework that starts with system and functional analysis and leverages completed Process Hazard Analysis (PHA), P&ID reviews, and their associated control strategies within the industrial environment. We use the results of these analyses to steer and identify control network dependency of critical processes to systematically determine crown jewels, as would be determined by an attacker to affect system functions.
The analytic results involved within this model allow a security analyst to work from the starting point of identified risks to processes. Cyber attackers often assess the feasibility of affecting system functions in a similar fashion. Therefore, a key assumption must be made upfront in this analytic process. The position of the highest impact on a system’s functional output, which can be defined as the organization’s bottom line, should be assumed when trying to determine the most impactful risk of a cyber attack.
Discover more resources.
Explore more resources to support you on your ICS cybersecurity journey.
Read our next whitepaper
See the Dragos Platform in Action
Take the next step to protect your OT environment now with a free demo