Risk Management in Operational Technology
We can’t can’t discuss risk management without talking about people, processes, and technology.
At its foundation ISA/IEC 62443 outlines a Cyber Security Management System (CSMS) in a similar way that ISO27001 does for traditional IT systems.
Your organisation might already have an existing Management System in place and if so, that is completely acceptable to utilise. The 62443 standards are built to align and complement the existing bodies of work out there by introducing aspects to address risk specific to OT environments. The CSMS reference model outlines 3 categories across the program to effectively protect the OT system against cyber threats.
These categories are:
- Risk Analysis
- Addressing Risks within the CSMS, and
- Monitoring and Improving the CSMS
Each category has many elements required to achieve the goals of the category; these elements can be encapsulated under people, processes, and technology.
People, Process and Technology
People
Leadership buy-in
One of the core foundations of any security program is getting support and buy-in from senior management and board members. Leadership provides the scope and strategic goals for the program and their involvement is crucial from the start.
Stakeholder engagement
Clear stakeholder engagement is a key element of any security program, especially where traditional OT systems and technologies are concerned. Effective engagement often stems from established senior buy-in.
Roles and responsibilities
Well-defined roles and responsibilities are crucial for the success of a security program. Poorly defined roles can lead to lapses in the monitoring, management, or maintenance of controls as the program develops. Staff training and skill development are equally important. Employees should know their roles and have the necessary skills to perform them effectively.
Processes and Technology
Risk Management in OT environments is often asset centric within the control system and any singular failure in a process can have the potential for catastrophic Health, Safety or Environmental (HSE) consequences.
Asset Centric Approach
Identifying assets with similar functions and treating them as a singular entity allows for managing complex systems with numerous individual processes. This method, known as zoning, is foundational for managing risk using the ISA/IEC 62443 Security for Industrial Automation Control Systems series of standards. Zones are logical or physical groupings of assets based on risk, function, criticality, operational function, or physical location.
Perdue Modeling
The Perdue Model for control systems defines four distinct OT layers: physical process devices, physical control devices, supervisory control, and operations control. Assets are classified by function type within the Perdue model, and different functions can exist within the same layer. When assigning zones for risk assessments, assets of similar security importance or criticality are grouped together, focusing on business criticality rather than safety criticality.
Although assets are generally classified by what function type they perform within the Perdue model, it does not necessarily mean that different functions do not exist within the same Perdue layer; conversely when assigning zones to assets for conducting risk assessments, assets that perform different functions may still be allocated within the same zone. This is due to considering assets of similar security importance or criticality – this notion is different from traditional safety criticality, but focuses more on business criticality E.g., a system holding the secret formula for a chemical compound or the components for a new type of semi-conductor chip.
After defining the system’s zones, assess information security risks using standards such as ISO 27005, ISO 31000, and NIST SP 800-30. These frameworks establish a contextual basis for assessment, laying down foundational rules, assumptions, and constraints aligned with the organization’s risk tolerance. They follow a pattern of identification, assessment, treatment, acceptance, and review to assess risks to the zone.
Determine the unmitigated risk for each zone and establish Security Level Targets (SL-T) based on the necessary protections against increasingly skilled, resourceful, and motivated threat actors. SL-Ts range from no perceived threat to advanced threats, comparable to a quantitative risk matrix from very low to extreme (0 to 4). If unmitigated risk exceeds the SL-T for a zone, apply additional controls to reduce the risk, ensuring the zone meets the required SL-T.
The 62443 standards define seven broad categories of Foundational Requirements (FRs):
- Identification and Access Control
- Use Control
- System Integrity
- Data Confidentiality
- Restricted Data Flow
- Timely response to events
- Resource Availability
These FR categories target weaknesses and failure points in an IACS, reducing the risk of system alteration, tampering, or compromise. Consistently applying these FRs through engineering and design is among the best strategies for mitigating control system risk.
Conclusion
Risk management in OT is crucially dependent on integrating people, processes, and technology for effective cybersecurity. Effective risk management in OT is not merely a task but a strategic imperative in today’s interconnected industrial landscape. By diligently identifying, assessing, and mitigating risks, organisations can safeguard their critical infrastructures, enhance operational resilience, and ensure business continuity. Ultimately, by prioritising risk management in OT environments, companies can foster innovation, maintain stakeholder trust, and navigate the complexities of the digital era with confidence and resilience.