Cybersecurity is a hot topic in the industrial control system (ICS) world. What does cybersecurity mean to your organization and how do you implement proper cybersecurity? Determining how or what control an organization implements should be based on how you choose to handle risk. Risk within an organization can either be accepted (do nothing), mitigated (implement a control) or transferred (get insurance). To most efficiently implement the proper controls, a risk assessment must first be completed.
Completing a risk assessment within your organization might seem overly complicated, but it can be done in just a few simple steps. Depending on the scope of the risk assessment, you might assess one or several individual pieces of technology, a business process, a department, or even the entire organization. This is what is referred to as an asset.
Next, find the value of the asset to the organization. This can be done by adding a dollar value to the asset (what it cost to purchase or how much it makes for you) or a qualitative value (what the asset means to the organization).
Now you can complete a risk assessment to understand what risks threaten the asset. Threats can be internal, external, manmade, natural, intentional or inadvertent toward your assets. Since not all threats are equal, a determination must be made to understand threat level. This is done by determining the impact of the threat and the likelihood of the threat occurring. When documenting these determinations, remember to consider threats to your assets with no controls put in place—for instance, in your locked server room with biometric access controls. This will let you know what risk the asset adds to the organization inherently.
The final step is to determine what controls you have put into place to protect your asset. Have you put that asset in a locked server room with biometric access control? Based on the controls that have been put in place, you can see a reduction in the risk an asset poses to the organization. After this process has been completed for all identified assets, you can determine what asset poses the most risk and focus your efforts on that area.
Remember, it is impossible to eliminate all risk. However, understanding your organization’s risk tolerance will help you determine if you want to accept, mitigate or transfer any remaining risk. You do not want to spend additional funds on an asset that has already met the organizational risk tolerance.
Risk assessments and management can seem like a daunting task for any organization, but they are essential for any organization that wants a mature and efficient cybersecurity program. Interstates has helped a multitude of ICS users better understand cybersecurity within their organizations and help them move forward in a more secure and strategic manner.
Brandon Bohle is MIT analyst III at Interstates Control Systems Inc., a certified member of the Control System Integrators Association (CSIA). For more information about Interstates Control Systems, visit its profile on the Industrial Automation Exchange.
