not all cybersecurity risks are created equal, and as threats continue to evolve, it is critical that risk assessments are performed and updated on a regular basis. This is especially true for critical infrastructure, where cyberattacks can have life-threatening consequences. But is critical infrastructure cyber risk assessment different from traditional IT cyber risk assessment.
In order to understand the differences in assessment, first identify the differences in risk:
- traditional IT network risk. The possibility and potential financial consequences of an attacker taking control of an organization's sensitive information.
- critical infrastructure cyber risks. The likelihood and potential physical consequences of attackers taking control of society's most important systems and assets.
significantly higher than that of traditional IT cyber risk. For example, if someone steals your identity and opens a credit card in your name, it will certainly disrupt your personal life, but you are unlikely to be responsible for fraudulent charges. Conversely, if bad actors shut down the power grid, poison the local water system or damage the reservoir dam, your family's life could be at risk. A sufficiently widespread attack on critical infrastructure could also have serious implications for national security.
While it's important to highlight the difference between critical infrastructure and traditional IT network risk, it's also worth noting that real-world events aren't always easy to parse. Nation-states, for example, are sometimes made to steal money rather than cause damage; North Korea and Iran come to mind. And, while ransomware is a favorite among attackers seeking to extort private companies, ransomware attacks can also have national security implications, think of the recent Colonial Pipeline shutdown. In another example, a criminal may launch a ransomware attack on a hospital to extort money, but if the ransomware attack affects the provision of patient care, people may suffer and die.
Critical Infrastructure Network Risk Assessment and Traditional IT Network Risk Assessment
IT is common in industrial environments. Therefore, critical infrastructure network risk assessment must include all the information risk elements of IT network risk assessment. There are a lot of additional (and frankly, scarier) physical risk factors that must also be addressed.
traditional IT network risk assessment and critical infrastructure network risk assessment must consider the following risk scenario consequences:
- loss of revenue
- Loss of reputation
- Share Price Loss
- IT Incident Response Costs
- IT event recovery costs
- customer impact, such as in the case of fraud
critical infrastructure network risk assessment must weigh the following additional risk scenario consequences:
- Employee Injuries, Illnesses and Deaths
- Community Injuries, Illnesses and Deaths
- Fire and Explosive Equipment Damage
- destruction of property and infrastructure in surrounding communities
- destruction of plants and wildlife
- releases toxins that endanger air, land and water quality
- Environmental Response and Recovery Costs
- supply chain effect
- National security implications
Risk Assessor Expertise The dual scope of critical infrastructure network risk assessments makes them more complex and challenging than traditional network risk assessments, mainly because additional knowledge, skills and methods are required to assess physical risks.
traditional IT cyber risk assessors and critical infrastructure cyber risk assessors require expertise in the following areas:
- operations and field technology
- Industrial Network Security
- Operation Supervision and Management
- Industrial Engineering
- Process Safety Management
- Health and Safety Management
- Environmental Risk and Compliance
- environmental remediation
- Industrial Regulatory Compliance
- Physical Security
Risk Assessment Methods
these two risk assessments also use different methods. Traditional IT risk assessments rely on the following criteria:
- Information Risk Factor Analysis
- COBIT
- ISO31000 and ISO/IEC 27005
- NIST Special Publication 800-30
- Operationally Critical Threat, Asset and Vulnerability Evaluation Allegro
In contrast, the critical infrastructure risk assessment methodology includes the following:
- IEC 62443 and 61511
- Process Hazard Analysis (PHA)/Hazard and Operability Analysis
- Network PHA
Risk Assessment Methods
the environments covered by each of these assessments are also different. Traditional IT risk assessments include the following:
- Internet
- Cloud Services and Applications
- Enterprise Network
- local services and applications
- Remote Access
- information and data
- accounts, access, and privileges
Critical Infrastructure Cyber Risk Assessment also covers the following environments:
- Operation Site Area
- Operation Safety Area
- Operation Control Area
- Operation Isolation/History Area
- Operations Remote Access Area
- operation information and data
- Operating Accounts, Access, and Privileges
Recommendations for Critical Infrastructure Network Risk Assessment
the most important point is that critical infrastructure network risk assessments are more complex than traditional IT risk assessments because they include both traditional IT risks and physical risks.
When conducting critical infrastructure network risk assessments, consider the following recommendations:
- get the right third-party help.internal staff may lack the combined expertise necessary to design and conduct a comprehensive critical infrastructure network risk assessment. In this case, you can enlist the help of external organizations-both public and proprietary-who have extensive experience in critical infrastructure risk assessment and protection preparedness.
- getting the right insiders involved.While IT personnel need to deal with digital technology threats, people who understand the potential physical impact of cyber threats come from other parts of the organization. Please work with in-house experts from operations, process engineering, technical engineering, environmental health and safety, and process safety.
- the right message to the executive team.executive teams often see cyber risk as a technical problem that IT needs to address. Please help them understand that more people are responsible when it comes to modern cyber threats. IT alone cannot solve critical infrastructure problems, which require the involvement of the entire organization, from the factory floor to the board of directors.
source: TechTarget China