Summit: Risk Assessment 101

Wednesday, June 25, 2014 @ 05:06 PM gHale

By Gregory Hale
Cyber security is really all about risk management, but before you make any kinds of decisions on risk levels you have to know what you have that is at risk. That is just where a risk assessment comes into play.

“There is a relationship between process safety and security,” said John Cusimano, director of ICS cybersecurity solutions at aeSolutions during his talk entitled “Measure Twice, Cut Once! The Value of Conducting Cyber Risk Assessments” Wednesday at the 2014 Siemens Automation Summit in Orlando, FL. “In process safety you have a Process Hazard Analysis (PHA) mandated by OSHA and focused on the process and the equipment in the process. You have to establish a risk assessment and security is no different. In process safety we talk about layers of protection. In normal conditions the system keeps everything in control. If things don’t work the safety instrumented system kicks in and puts the plant in safe state.”

Summit: System Under Attack
Summit: Safety, Security Add to Complexity
Chemical Safety Report Updated
West, TX, Blast First Responders Unprepared

When a user is looking at cyber security, Chris Da Costa, global operations security manager for Air Products and Chemicals Inc. said here are just some of the questions users should ask themselves:
• Is the plant ICS system secure from a cyber perspective?
• If there is an architecture change, will it change the security?
• What kind of firewall do you use?
• Do you have the right firewall rules?
• Has the plant ICS been compromised?
• Do you have the right layers of protection?
• How good is good enough?

“How do you go about answering those questions? To answer those questions you have to do a risk assessment,” Da Costa said. “What threats are in your system?” Are safeguards in place to have risks at an acceptable level?”

A risk assessment, though, is only the beginning. “It is only a portion of the security philosophy. You need to address the people aspect, but the strategy part includes a risk assessment,” Da Costa said.

As a part of the discussion, Cusimano went through a basic assessment and some of the approaches to what he called a cyber PHA.

Some of the deliverables that come out of a risk assessment include:
• ICS security architecture drawings
• Requirement specification
• Vulnerability assessment
• Peer comparison
• Zone and conduit model

Just remember, as Da Costa said, “a risk assessment is so critical in where you want to go.”

Leave a Reply

You must be logged in to post a comment.