Here’s your situation - industrial security is a hot topic today and management has decided to assign you the task to take an assessment and come up with a plan to protect the company from… well, they didn’t exactly say.
Perhaps some budget support was provided for this task and perhaps not. Regardless of funding, it is understood that the priority is still to keep production running while you put your plan into action.
Doing Nothing? Not an Option
Try this as a starter for an industrial security self-assessment for cyber security risk at your organization. While it isn’t for everyone, it’s a good starting point for your organization. Taking action here may just help your company avoid some serious security incidents.
Assessing industrial security risk can be a large complicated project. On the other hand, one way to start is with the self-assessment for cyber security risk described here.
1. Determine Who Should Help with the Assessment
You’ll need the different perspectives that come from working with a few others who don’t see your business from the same viewpoint as you. You’ll also need to keep the entire group thinking as objectively as possible during a few of the steps.
If you have the budget to bring in outside help here, look for perspective and objectivity. Consider team members from each type of job that works with your company’s equipment and systems, along with IT, an executive and an outsider, if possible. You can decide when to involve the whole group and when to limit the activities to just a few, provided you get everyone’s objective input and insight.
2.Identify the Critical Assets
This is an essential. For a moment, put security out of your mind and simply create a list of the most critical assets that your company must protect in order to continue to be successful. These don’t need to be the most expensive machines or the highest paid employees.
Instead, they may include:
• Machinery that is commonly on the critical path in production
• A few workers with skills you can’t do without for even 1 day
• The business system that keeps raw materials, finished product and orders flowing
• The secret recipe that is at the core of making your most valued product
Key questions to ask are:
• What’s most important to maintain production around here?
• What is important and a bit “vulnerable”?
• If you were paid only on your ability to keep our company producing, what would keep you up at night?
3. Prioritize and List the Largest Risks for Each Asset
At Belden we have found our customers can quickly group assets into a sort of 1-2-3 approach.
- Securing the network (network segments, separation between the ICS Operations network and the corporate or enterprise, network protocols, industrial networking equipment)
- Securing the endpoints (application servers, active directory, HMIs, asset management systems, key databases, engineering workstations, etc.)
- Securing the control systems (PLCs, RTUs, IEDs, DCS)
For this pass, be sure to get the most diverse and critical input possible, and ask the group what kinds of security issues might exist for each asset on the list. Be sure to ask, “What SHOULD we be afraid of?” If the answers you’re getting are possible and even remotely plausible, then put that asset on the “security” list. After investigation, you can always de-prioritize if the risk turns out not to be applicable.
Simply making a list of your facility’s most critical assets and prioritizing the risks that could impact them is a good way to start improving industrial security.
4. Prioritize the List of Industrial Security Assets
Base this on:
• Methods and ease of access that affect the asset (you might ask for some outside help here)
• How long would the asset and/or production be unavailable if this happened
• How likely would someone either want to maliciously affect this asset or breech security for good reason, but with accidental consequences to the asset
You can make a simple chart to record and score these – be consistent with your criteria and as fact-based as possible.
5. Determine and Rate Existing Protection Measures
Determine what current security mechanisms, actions, policies and procedures are protecting each asset. Objectively, determine how effective they are.
Once complete, the outcomes should help you examine your current state. This self-assessment exercise should yield a starting point on your current situation and help you identify gaps between what you’re currently doing and what you need to be doing.
You have a reasonable list of assets that need protection and a prioritized list of potential security vulnerabilities for each. In addition, you’ve got a list of non-security issues that you can use to justify the value and priority of your security needs. If you’ve involved executive management from the start, you’ve paved the way for management support and hopefully budget for the actions you’ll need to take. And since you’ve involved others from different roles, you’ve got a chance to put something in place that everyone can live with.
Your next steps are to determine how many of those high priority assets to protect and how to protect them. If the list is long and you’re not sure how to get it all done, plan on a phased approach and consult with your leadership and management for consensus and buy-in on what should be in each phase.
Please remember that no security measures are 100% foolproof, and the best security requires that you monitor, evaluate and improve your plans regularly.
Let us know if this easy industrial security risk assessment is helpful, or if you have other tips to share.
- Webinar on SANS report: Where Are We Now?: The SANS 2016 ICS Survey
- Blog: Where to Find Hard-to-Get Industrial Security Data
- Blog: IT and OT Must Adapt for the IoT – 13 Experts Share How
- Blog: SCADA Security Basics: Why are PLCS so Insecure?
- Whitepaper: Defending Industrial Control Systems with Tripwire – Using Tripwire to Implement the DHS Seven Steps to Effectively Defend Industrial Control Systems