Assessing and monitoring the security of operation technology (OT) systems can be aided by conducting an OT cybersecurity threat risk assessment (TRA). The process is fundamental to the protection of OT/critical infrastructure (CI) and key resources against malicious cybersecurity threats such as ransomware.
An OT cybersecurity TRA should be based on industry-recognized security assessment principles and carried out in three phases:
- Independent technical vulnerability assessment of OT networks
- Conduct a threat and risk assessment for business functions supported by the OT networks incorporating the results from Phase 1
- Provide ongoing cybersecurity support.
The TRA process for a system should follow an eight-step procedure.
1. Establish the business context for the system:
- Provide insight into the concept of operations for the business, including specific programs or services involved within the scope of the TRA
- Identify major characteristics of the system/program and understand how it will achieve its objectives
- Establish an understanding of the technical architecture, services, functionality, and connectivity of the system
- Identify information security management practices and related security controls applicable to the system, such as firewalls, intrusion detection, and prevention systems.
2. Conduct OT asset identification and valuation and impact to identify and assign value to critical assets in terms of their confidentiality, integrity, and availability. Loss of confidentiality, integrity and/or availability determines potential impacts under adverse conditions. The output of this process is used during risk analysis and forms a key element in the computational analysis of risks.
3. Conduct an assessment to determine threats. This assessment should include:
- A list and description of the threats relevant to the system
- Information on the likelihood of threats or threat events taking place, and potential impact(s) arising from them
- An overall level rating for each identified threat or threat event.
4. Conduct a vulnerability assessment of the assets in the system comprised of the following: identifying existing or planned security controls, identifying vulnerabilities, and establishing overall vulnerability ratings. After the existing or planned controls are evaluated, the probability of compromise can be established along with the severity of the outcome.
5. Conduct risk analysis, taking into account the value of the assets, their exposure to a threat actor and the vulnerabilities that could be exploited during an incident. A risk rating is then determined for each vulnerability/threat combination as a function of likelihood and impact. The degree of detail taken in risk assessment/analysis is heavily dependent on the value of the assets at risk, the degree of vulnerability of the assets or organization to various threat scenarios, and the current state of the threat environment. These can be exacerbated by previous security incidents the organization has been exposed to.
6. Prepare the TRA report/risk treatment plan, which includes an introduction, descriptions, summaries/conclusions and supplemental information as illustrated below.
7. Apply security controls recommended in the TRA report/risk treatment plan
8. Monitor risks and, as required, re-assesses via another threat risk assessment.
An OT TRA (and report) provides a risk assessment and summary of security risks, as well as conclusions and recommendations for future activities. Following the TRA process steps described here will enable OT owners and administrators to evaluate and monitor risks against their OT/CI systems and implement security controls to counter malicious activity.