Risk Assessment Based on Network Industrial Control System Segmentation

Risk mitigation measures are scale of compensating countermeasures for any of the asset or environment. In context to Industrial Control System IEC62443-3-2 i.e. part of System requirements (out of total 4 pillars - General, Policies & Procedures, System and Component) risk assessment workflow revolves within total 7 cyclic process (as specified in below pictorial).

1- Identification of System (ICS or also known as SuC) drastically varies depending on existing installed base (part of brownfield operating assets) OR conceptualization of new Greenfield asset.

NOTE: Knowing about our own engineered system plays crucial role for assessment process. The more attributes, specifications, functionalities and limitations one is aware of will make a difference & impact for rationalized assessment than subjective & jumping to "worst case scenarios" pitfalls.

? Inputs required: Functional Design Specifications, System & Network Architecture, Bill of Materials extended up to detailed Asset Inventory Register etc. ?

2- Initial Risk assessment is kick-off for high level of risk assessment with reference to gaps and consequence on the HSE scale exactly similar to Process Safety Risk with reference to defined Organizational corporate risk matrix OR risk appetite.

3- Heart of the Industrial Control System risk assessment is "Engineered Control" OR "Defense in Depth" strategy which is achieved by ICS network segmentation in consideration to cyber-physical ecosystem. Without having clear understanding of this core strategy risk assessment can not be effective considering the fact of involved multi-dimensional attributes starts from physical access control, grouping ( based on physical & logical SL requirements and magnitude), criticality in terms of process functional safety & availability etc.

4- In most of the Organizations now a days role of initial risk assessment and its outcome plays a key role as a part of policies, procedures and strategic decisions through how impactful and convincing it is depending on various factors such as maturity and awareness of process risk in correlation with cyber-physical risk followed by awareness of segmental industrial sectors threat intel. Having as practical as outcome of initial risk assessment lays foundation for path forward not only in terms of realistically reaching to tolerable risk region but also to have optimal balance in between asset reliance and sustainable expenditure.

5- Detailed risk assessment is much more deeper dive just like process HAZOP and layers of protection but not exactly the same. Security risk assessment is mix of quantitative & qualitative proceedings unlike process safety assessments which is much more quantified by nature of process dynamics, well known process attributes & behaviors as well as failure modes where random failures prevails over intentional dimension. Unintentional magnitude exists in both cases followed by presence human factor & lack of competency/awareness.

6- Similar to Safety Requirement Specification (SRS) in Functional Safety domain, also Cybersecurity Requirement Specification (CRS) demands lot of determination, compilation and inputs such as detailed design specification for ICS/SuC, Approved policies & procedures, regulatory body compliance requirements (as applicable), Organizational Risk Matrix, Process associated risk/HAZOP scenarios & QRA, minutes details of each pieces of asset inventory, physical & logical boundaries, security requirements of each zones & conduits etc.

NOTE: CRS is live Lifecycle document which shall be kept updated after each iteration.

7- Why Asset Owner for Risk Approval ?

It is all because ultimate accountability for not only the understanding of existing risk profile in terms of the safety & availability of asset "but also to accept the inherent or residual risk" as a part of plant (process systems & sub-systems) which is monitored and controlled by existing Industrial Control System OR conceptualization of ICS which is going to be part of the asset.