The Radiflow Security Blog

Takeaways from our Expert Panel: Optimizing OT Cybersecurity through IEC62443 risk assessment & management

August 4, 2020

Our October 8, 2020 expert panel, with guests Brian Kime, Senior Analyst, Forrester, and Dale Geach, Head of Technology and Innovation, Siemens Smart Infrastructure, was a huge success! Here are a few takeaways from the panel:

0The current cyber threat landscape facing OT organizations

The transition to Industry 4.0 – the convergence of IT and OT systems and the digital transformation of production processes – has delivered both great benefits, for example being able to connect a sales system directly to your production floor – as well new attack vectors. This includes criminal elements that now started targeting OT networks, as evident in the rise of ransomware attacks (including one large auto manufacturer.)

While OT operators usually focus on OT threats to the production floor (which target the automation process), they are in reality no less threatened by types of attacks that are traditionally considered within the IT realm, such as ransomware attacks. Protecting the OT organization against such attack should be a higher priority.

What is the evidence to support the need for risk assessment and management in OT organizations?

In planning and budgeting the organization’s cyber-security efforts, CISOs need to communicate the severity of the threats facing the network to the board members, and board members want to talk about and manage risk. That’s what they’re used to, just like financial risk or reputational risk.

This is where a risk analysis & management system comes in – it can help the customer make some educated decisions about how to prioritize the different activities. While threat and risk are very similar, and threat detection does play a part in risk assessment, risk deals more with probabilities and impact, which can be more easily quantified and converted into actionable planning.

What is a comfortable level of risk? Do customers know their risk threshold?

It’s subjective; however, safety will always be high-priority; in some industries compliance is also high on the list, as non-compliance could shut down operations. Then there are critical production lines and less critical ones, so the OT operator usually does have an idea of which processes are critical and which aren’t.

Another variable is the industry in which the organization operates, so for each industry and sector there will be unique characteristics that define risk tolerance.

What should be the minimum frequency of performing a risk assessment?

Some operators claim that the minimum if annual or quarterly, but in reality the threat landscape is evolving so quickly that there’s no way around active, continuous risk monitoring. Otherwise your battling last year’s threats and investing in the wrong defenses.

If you look at the rate of new CVEs (Vulnerability notifications related to specific devices) added, it’s clear that risk assessment needs to be done on a continuous or close-to-continuous basis. Obviously the operator needs to balance cyber-security resources.

How do standards actually manifest into an actual risk assessment

IEC 62443 provides a good framework for risk assessment – mapping assets, zones and conduits; analyzing what are the different priorities and the business impact of each of these zones and business processes; determining mitigations and security controls based on security levels for each zone, and calculating the residual risk to see if it’s acceptable.

In that aspect, IEC 62443 is much clearer than other standards, which makes it much easier to achieve compliance, compared, for example, to the NIS Directive that has a much less structured methodology. The structured methodology makes sure that you have a clear and full model of your network. Otherwise, the risk assessment will be incorrect and your mitigation plans will be inadequate.

How have new tools changed the process of risk assessment and management?

Manual risk assessment is no longer realistic because of the complexity of today’s networks. Some automation tools are available for some activities within the risk assessment process, for asset visibility and finding attack vectors and the likelihood of an attack, but they are mostly in the IT world. The emergence of tools for OT now enables the same type of risk assessment in OT networks.

What is the current situation with standards in Europe?

The NIS Directive is being made the law of the land in Europe, and the adoption process has been especially accelerated over the last two years. This has created a problem for some manufacturers, especially in regards to legacy devices. The standard also has to do with the organization culture and new inner-organization practices, which makes adoption tricky. For now, the IEC 62443 standard is prescribed only in specific industries, and is not mandatory.

Supplier risk management

Supply chains pose one of the biggest problems, whether it’s remote access granted to contractors or malware built into a device without the vendor’s knowledge, by one of the vendor’s suppliers. The key is to make sure that the entire supply chain is compliant with the same standards. A lot of good work has gone into assuring this in UK and Europe. In the UK, however, the national cyber security center allows suppliers to assess themselves, which may lead to inconsistent compliance along the supply chain.