CIARA

Cyber Industrial Automated Risk Analysis

Business-Driven Industrial Risk Analytics

Radiflow CIARA is the first-of-its-kind ROI-driven risk assessment & management platform for industrial organizations.

Serving as a stakeholder decision-support tool, CIARA empowers CISOs and owners of complex ICS environments to increase the effectiveness of their risk-mitigation measures throughout the entire system lifecycle, ­while significantly reducing cybersecurity expenditure.

CIARA employs a fully-automated, data-driven risk assessment algorithm, which calculates the actual monetary/HSE impact of each risk-mitigation measure, using thousands of data points for network, asset, locale, industry, adversary capabilities and attack tactics. 

The weighted data is used to run network-wide attack simulations and inter-asset attack vectors. The ultimate result is a comprehensive real-world assessment report, as well as risk prioritization and recommendations for mitigation.

The result is a comprehensive mitigation roadmap (fully ISA/IEC 62443-compliant), prioritized by each mitigation control’s contribution to overall risk reduction, thus maximizing the impact of cybersecurity expenditure.

CIARA’s business-driven approach to risk analysis allows assessing for and setting different target risk levels per business process/network zone

ROI-Based Risk Management

CIARA enables ROI-based optimization of cybersecurity expenditure to ensure the effectiveness of threat-mitigation measures in relation to the adversaries and attack tactics relevant to the specific industrial network.

CIARA’s unique risk assessment algorithm combines the likelihood of attacks on networked assets (based on the industrial network’s unique characteristics as well as a wide array of threat intelligence sources) with their quantitative real-world impact (e.g. monetary loss or non-compliance with governing regulations) to assess the risk introduced by different business processes. Based on this analysis, CIARA produces a prioritized list of mitigation measures based on their contribution to reducing overall risk.

By following CIARA’s plain-language mitigation roadmap, users are able to divert expenditure from mitigations which marginally reduce risk (given the actual threats the network faces) to those that produce the most cybersecurity ROI.

CIARA’s risk-mitigation planner helps CISOs and stakeholders schedule the installation of controls over time (e.g. “multi-factor authentication to be installed at business process #2, at the cost of $2000, scheduled for 3Q21”), to meet budgetary constraints. CIARA’s clear implementation dashboard simplifies status reporting and presentation to stakeholders. 

CIARA’s risk mitigation checklist, displaying type of mitigation, affected business process (zone), completion status, target completion date, and cost of implementation 

Automated, Data-Driven Risk Assessment

Understanding OT network risk is a key factor in devising an effective cybersecurity plan. However, the complexity and the scale of modern ICS networks (due to the digital transformation of industry 4.0) render risk evaluation by traditional risk assessment procedures practically impossible. You simply can no longer “eyeball” risk.

Moreover, ad-hoc or annual risk reviews are no longer sufficient. Adequate protection requires continuous risk monitoring that instantly accounts for each and every change on the network, throughout the OT cybersecurity life-cycle.

CIARA simulates hundreds of commonly-used security controls against relevant known threats, factored against common OT risk scenarios (loss of availability, loss of control, damage to property, etc). This is done using indicators from a variety of sources to model network vulnerabilities, defences, possible attackers and attack methods:

  • Inventory mapping (provided by Radiflow iSID*)
  • Vulnerability mapping (CVSS/CVEs)
  • Virtual penetration testing (based on MITRE-ICSsimulations & Radiflow Lab research)
  • User and system behaviour analysis
  • Historical data on previous incident scoring
  • Adversary threat intelligence (including MITRE ATT&CK™)
  • Change management detection

* Optional network data acquisition from flat file or PCAP file

Top attack scenarios for different business processes, detailing the likelihood, impact and risk factor for each

The CIARA Risk Management Process

Compliant with the ISA/IEC 62443 standard, CIARA helps customers that are new to OT Cybersecurity to achieve compliance and optimize their cybersecurity expenditure. CIARA’s risk assessment & mitigation planning process utilizes ZCRs (zone & conduit requirements) as specified in the standard:

Step 1 (ZCR #1): Learning the network

Network information is obtained from a digital twin (model) of the network, produced by Radiflow iSID.

Deliverable:

Full network visibility report displaying all assets, protocols, and links.

Step 2 (ZCR #2-4): Network definition & Initial Risk analysis

Zones (operational units) and Conduits (between zones) are defined and each is assigned a monetary impact or HSE value.

Industry & geo-location characteristics are used to assess the relevance of adversaries (using the MITRE ATT&CK database). Attack scenarios are simulated.

Deliverable:

Zone and SL-T table (CIARA will out-of-the-box add IEC-62443 SL-Ts to zones).

Step 3 (ZCR #5): Analysis of each zone’s Foundational & Security requirements

CIARA compares between each zone’s current and required security level, and presents the user with the controls (mitigation measures) needed to achieve each zone’s target (SL-T). Controls are prioritized by their contribution to reducing overall network risk.

Deliverable:

Detailed Risk Report, including all threats, vulnerabilities, zone impact, unmitigated & target risk levels, existing countermeasures, likelihood of impact, residual vs. tolerable risk, and additional cybersecurity countermeasures.

Step 4 (ZCR #6-7): Finalizing mitigation plan and applying security controls

Upon implementation of each prescribed Control measure, CIARA will re-calculate the network’s overall risk score as well as the security position of each zone.

Deliverable:

Ongoing documentation of the cybersecurity requirements, assumptions and constraints needed to achieve the SL-T, as well as ownership and accountability for implementing controls. 

CIARA’s analysis uses a “digital twin” of the OT network, including all assets & asset property, protocols & vulnerabilities, generated by Radiflow iSID

Tools for CISOs

CIARA’s main dashboard: detected Zones are displayed in a color-coded risk level array

Mitigation Controls are prioritized by their contribution to reduction of overall network risk

Gap-comparison between each zone’s achieved (SL-A) and target (SL-T) security levels (“spider” graph, top left); controls checklist with dynamic risk scoring (bottom)

Region & industry information is used to assess the relevance of adversaries and attack tactics

CIARA for OT-MSSPs

In recent years, managed security services providers (MSSPs) have become a viable option for small-to-medium size OT organisations seeking enterprise-level security without setting up a full-fledged network security operation.

With CIARA, OT-MSSPs are able to offer their industrial (ICS) users ROI-driven risk assessment and management services (in tandem with Radiflow’s award-winning iSID Industrial Threat Detection Platform.)

Risk assessments can be offered to users on a periodic or an ongoing (recommended) basis, giving stakeholders a clear picture of their network’s risk stance, and providing the CISO with expert guidance on implementing CIARA’s mitigation roadmap.

Part of Radiflow’s Full-stack industrial cybersecurity solution

CIARA is part of Radiflow’s innovative solution suite for industrial organizations. Designed for industrial organizations of all sizes, CIARA is an integral part of Radiflow’s multi-tier OT detection & prevention toolset, which includes the award-winning iSID industrial threat detection platform, the iSAP low-bandwidth smart collector for distributed networks, and the iCEN central multi-site management tool for corporate or OT-MSSP SOCs.