The cybersecurity risk management lifecycle is broken into three phases: assess, design and implement, and maintain. For the purpose of this article, we will discuss the assess phase, what is included in it, and what the end product should be. The goal of this phase is to evaluate an industrial control system’s topology and configuration to identify weaknesses, evaluate risks, and document information for future action. Completion of the assessment will lay the groundwork for security measures on all future improvements.
Many water and wastewater SCADA owners don’t perform regular assessments as they only consider cybersecurity modifications and enhancements when a capital project is in design. Even then, security considerations are often given only to new equipment and the existing system is not evaluated. This is particularly worrisome because though the system element may not change, its security level might. Without a cybersecurity assessment, operators will not know about vulnerabilities until they are exploited.
- Evaluate and document the network, including collecting existing system documentation: architecture drawings, network diagrams, and the asset inventory.
- Verify documents with a combination of visual inspection and automated network scanning tools to ensure that no undocumented devices are on the network.
- Collect vital information about the devices on the network to make sure there is an understanding of what is installed and what components are critical to operations.
- Perform gap assessments to review operational and technical cybersecurity procedures and compare them to industry best practices.
- Determine staff’s understanding of procedures and implementation, including password policies, processes for updating software and installing patches, how intrusions are detected and handled, and processes for evaluating system expansion.
- Collect network information by using passive tools to listen to network traffic, using active tools that attempt to connect to assets, or even using penetration testing to find weaknesses.
- Consider risk the combined result of threat, vulnerability, and consequence for the purpose of the risk assessment.
- Address risk using one of the four typical methods: Tolerate means that risk is accepted. Transfer means that the consequence is moved to others, i.e., buying insurance to cover the cost of an attack. Terminate means the risk is eliminated by removing the item causing risk. Treat means a device or tool is implemented in order to eliminate or reduce the risk.
- Assemble a team and conduct a workshop to review the collected information. The team should consist of a cross-section of the organization with all critical stakeholders represented.
Once the risk assessment is complete, the information is assembled and formalized into a report that can be used to guide the next phase: implementation. Performing a risk assessment is a crucial element in a cybersecurity program. If the assessment is well thought out and critical stakeholders are included, the results can be used as a roadmap to guide future projects and investments.