Know Vulnerabilities, Threats to Manage Risk

Tuesday, October 7, 2014 @ 08:10 PM gHale

By Ellen Fussell Policastro
No matter how you define a security risk in your organization, you can’t overlook the fact that risk management involves measuring and managing vulnerabilities and threats.

It isn’t just vulnerability management or threat management. Risk management has to incorporate the concept of potential harm as a result of vulnerabilities and threats together. Eric Knapp, director of cyber security solutions and technology at Honeywell Process Solutions, made a logical case for using the top five best practices for industrial cyber security risk management during last week’s ISSSource webcast.

Dragonfly: Pharma Industry Targeted
DHS ‘Ill-Prepared’ for Pandemics
Risk Assessment Software Released
Free DHS Cyber Assessments

From understanding risk appetite and measuring methodologies to assessing vulnerabilities and identifying threats, Knapp finally lands on the number one best practice — apply what you know.

5: Understand Your Appetite
“The probability of a risk occurring can range from 0 to 100 percent,” Knapp said. “But in there is a sweet spot.” Your organization’s risk appetite is the amount and type of risk you are willing to accept in pursuit of your business objectives. To clarify, Knapp explained the difference between risk tolerance and risk appetite. “Risk tolerance is the capacity — the specific maximum risk an organization is willing to take regarding each relevant risk,” he said. “When you’ve reached your risk tolerance you must take action.” An organization’s appetite is its comfort zone before it reaches that tolerance level.

“You also have to look at your risk target,” Knapp said. “It’s easy to say, ‘My risk target is zero.’ But in reality there’s no such thing as zero percent risk. You want to find the absolute sweet spot of where you’re experiencing an optimal level of risk,” he said. One sure way to have zero percent is to power everything off and send everyone home. But that contradicts your business goals. The risk target says in order to meet my goals I need to perform certain functions. With those comes an inherent amount of risk. Therefore there’s a target. “Where am I being risky enough that I know I have a chance of success, whereas I have a tolerable amount of risk of failure? That is your risk target,” Knapp said. A risk limit is a threshold you’d set so when you’re monitoring your risk, you’re hitting a point where you need to take action. “So prior to your risk appetite, you’d have risk limits to track where you are in your appetite.”

When you have these metrics and targets and monitor your activities against them, you can adjust your activation to reduce risk and bring it back to tolerable levels. “And perhaps if risk is too low, you can’t succeed,” Knapp said. “So you might even want to take action on risk that is too low.”

#4: Know Your Measurement and Methodologies
Relevant standards surrounding cyber security management include ISO 27005: 2011 and, in the context of industrial applications, ISA-99, which is now becoming the ISA 62443 standard with guidelines around risk management.

Risk is a combination of threats and vulnerabilities as well as consequences. A vulnerability does not cause harm; it’s a condition that could cause harm. A threat on the other hand has the potential to harm assets. One is a passive state and one is an active state. The likelihood is a function of vulnerability and threat.

In the ISA equation, risk is likelihood times impact (R = L x I). ISO uses threat times vulnerability times consequence (R = T x V x C). “These should not be read as mathematical equations,” Knapp said. “But just know risk is a function of threats, vulnerabilities and consequences.”

Your risk management plan needs to identify the measurements you’re using. If you’re rating vulnerability, are you rating on a scale from 1 to 100? You can use other methods that work for you and your organization, as long as they are consistent, and you have a way to apply them to determine what that risk actually means.

So how do we apply these equations? Knapp presented a table that showed various levels of severity of consequences and their likelihood. “If you look at consequences first, you’ll see that consequences are not black and white,” he said. There are multiple types of consequences for each vulnerability. “Zero means no injury or damage to people all the way up to major injuries, fatalities, and multiple fatalities. So you have a wide and obvious range of consequences.”

But what about consequences against assets, such as hardware or software? Quite often we think of assets in terms of monetary values “because it’s an easy way to quantify the consequence of an information asset being stolen or damaged,” Knapp said. It doesn’t need to be dollar values, just a simple numerical scale of 1 to 5.

“The exact amount of what an asset is worth is perhaps one of the trickiest elements of risk management, especially in the industrial realm,” he said. “You might have one type of asset not particularly expensive, such as pressure release valves. If you look at it myopically as a single entity outside of a system, there’s little value. But it could play an important role in the automation system, such as fail-safe.” When evaluating the value of an asset it’s important to think of it as an entire system. “If you operate an oil platform and there’s a spill, for instance, bad media could mean a hit to your corporation’s reputation.”

How do you measure likelihood? Knapp used a graphic that was based on probability of occurrence to explain how to measure likelihood. A threat the industry has never heard of has little probability of happening. One that everyone knows about has a high likelihood of happening. “Something that’s been proven to happen several times per year in a specific location has a high likelihood,” he said. And you can use different types of scales. The likelihood could be a trend rather than a probability. Such trends as a big cyber campaign could target your industry. It’s never happened before, but it could increase the likelihood of a particular type of attack. So risk needs to be adjusted accordingly. “When you look at these together they map to a table that gives you a rating of 1-10, the higher the number, the higher the risk,” he said. “In this case we make a business rationale based on the combination of the consequence and likelihood of that activity happening at any given time. This is your value of R or the risk metric. For every action there will be a consequence and likelihood. And that process has to happen for every vulnerability and every threat. So it can become tricky.”

#3: Accurately Assess Vulnerability of ICS Environment
To accurately measure vulnerabilities, you have to look at both the specifics and the entire system. “Perhaps you have a specific server or network device that has its own vulnerabilities,” Knapp said. But you can also look at vulnerabilities on a broader scale across entire systems and parent networks — and anywhere in between. “If you have HMI software susceptible to buffer overflow, you have a vulnerability of a specific software asset. However HMI vulnerabilities directly impact the entire systems. So it’s a really a system vulnerability.”

You should use vulnerability assessment scanners carefully. These devices are designed to discover devices on your network and assess each one for known vulnerabilities. “By doing a network scan and then using various ways to fingerprint those devices, you can find out what ports are running, what applications are running, and what version of that application is running,” he said. “I would never recommend doing an assessment on a live system without a well thought out plan. Test your backup systems and secondary systems when they’re not in use and then roll out this assessment over time.”

The best way to use vulnerability assessment scanners without risk is to do it offline in a test lab, which of course is probably not going to happen in the automation world. The best way is to “test in a lab where it’s safe, but also have a benign way to test on a live system to ensure no unintended vulnerabilities of the system as a whole,” he said.

#2: Identify Threats Against the ICS
Threats can be malware (virus or Trojan), a hacker (from semi professionals to disgruntled employees, professional hackers, and hackers for hire), or accidents. “Coffee is an effective threat against keyboards,” Knapp said. But how do we know if something is a threat? You need to consider three main things:
1. Every threat has a source
2. Every threat has a vector or path
3. Every threat has a target

Depending on the threat and target, the outcome could be different. Likewise the vector or path that threat takes could indicate the likelihood of that threat succeeding. “When you know along what vector you have clear network defenses, there is a lower likelihood of that threat exploiting a vulnerability,” he said.

One question Knapp gets all the time is: “Where do these threats come from? Do I have to worry about hackers, or is it all malware or disgruntled employees?”

“There are metrics that give us this information,” he said. “If we have it, we can focus our efforts. But I think there’s a concern about relying too much on this type of data,” he said.

One tried and true saying from Knapp’s martial arts class is this: It’s better to cry in the dojo [training] and laugh on the battlefield. In other words, you can work harder than you need to during peacetime so you’re more prepared when you need to be.” That goes for investing in cyber security up front. If you think threats are almost always device and software failures and malware, and you don’t want to put your time into defending your system against hackers, you might invest everything into preventing malware and software failures. “Yes, we should invest our resources in the highest places. But we don’t always know what we think we know,” Knapp said.

The most common threats are the easiest to detect. You’re more likely to detect old viruses easily caught by antivirus than you are likely to detect a sophisticated new Trojan that hasn’t surfaced yet. “You might end up thinking all threats are old malware and viruses. But most are the result of sophisticated hacking and customer malware purchased on the black market and cyber espionage,” Knapp said. “Those will be hard to detect. When they do get detected they make the news, we hear about them, and there are other avenues for sharing more sophisticated information. But we have to consider that the biggest threat is the one we don’t know anything about. Advice I always give is to imagine the worst-case scenarios and then imagine it being a lot worse than that.”

#1: Apply What You Know
The number one best practice in risk management involves applying what you know about your risk. A lot of policy reviews go into finding that little value of R: What is my risk? If you have a network in which devices are at risk, then the network itself is at risk. “If you can find that hotspot and understand why you have a high level of risk in one application versus another, you can try to implement the best resources in the best way possible,” he said.

Another key to applying what you know is to make sure you justify spending resources on security. “We are living in an unfortunate economy in the world now. Resources are tight,” Knapp said. “If we can prove the cyber security countermeasures are worth the activities and staff we put into it, it could result in positive trends, reducing overall risk of the organization. Remember risk is the function of threats and vulnerabilities. But it comes down to impact to the organization. So if you’re proving you’re reducing risk, you’re justifying the resources and are likely to get more.” All in all, that little value of R is extremely important, Knapp said. “We can do a lot with it once we have it.”

Click here for an on demand version of the webcast.

Ellen Fussell Policastro is a freelance writer based out of Raleigh, NC.

Leave a Reply

You must be logged in to post a comment.