Protecting key resources and critical infrastructure (CI), such as healthcare, finance, transportation, telecommunications, energy, and water/wastewater is essential to security, public health and safety, economic vitality and our overall way of life. Recent ransomware attacks, such as one against a gas pipeline, illustrate the impact of insecure infrastructures. The director of the U.S. Federal Bureau of Investigation (FBI) recently compared ransomware attacks to the September 11 attacks and indicated that the agency is putting ransomware attacks at a similar priority to terrorism.
Fundamental to the protection of CI and key resources is the security of the operational technology (OT) systems, mission-critical systems that control and protect these infrastructures. OT consists of the hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, etc. The term “OT system” is used to broadly describe the technologies (both analog and digital) that support industrial processes, such as:
- Supervisory control and data acquisition systems (SCADA)
- Programmable logic controllers (PLCs) often found in industrial sectors and critical infrastructures
- Process OT systems
- Distributed control systems (DCS)
- Other OT systems specific to CI industry sectors
Assessing the security of OT systems can be aided by conducting an OT cybersecurity threat and risk assessment (TRA). The NIST Cybersecurity Framework, which applies to organizations relying on technology, regardless of their cybersecurity focus, states that cybersecurity activities at their highest level involve five high-level functions: identify, protect, detect, respond, and recover. An OT TRA encompasses all of these high-level functions. The Framework also points out that organization have unique risks with different threats, vulnerabilities, and risk tolerances.
Threats give rise to risks to OT/CI assets, based on the likelihood of a threat being realized and the impact on the assets when that threat is realized. The TRA process is a formalized method to address the negative consequences of a threat actor or threat event exploiting a vulnerability to affect an asset of value adversely. In essence, risk may be described as:
Risk = f (Asset Value, Threats, Vulnerabilities)
A TRA includes asset identification and valuation, threat, vulnerability and risk assessments, and a calculation of risk treatment recommendations and residual risk. The overall objective of the TRA process is to produce a list of risk ratings for each exploitable vulnerability/threat combination.