The Role of Context in ICS Security Risk Assessment


In our last post Understanding the Security Risks of Industrial Control Systems we discussed the growing security threat to the Industrial Control Systems (ICS) used to support critical infrastructure and drive processes in a number of industry sectors. Increasingly, ICS components and systems are connected via the public Internet rather than private networks. Many of these components have weak security protocols and numerous vulnerabilities. While Internet connectivity plays an important role in the modernization of critical infrastructure, it heightens the risk that cybercriminals could access and take control of these systems.

Despite increasing awareness of ICS threats, few organizations know how to go about addressing them. Given the large number of components that may be employed in an ICS environment — which may be spread across a wide geographic area — the prospect of securing and monitoring these systems can be daunting.

Context provides organizations with a starting point for ICS risk assessment. Say, for example, that the same digital controller is used in three very different environments: a conveyor belt in a manufacturing plant, an escalator in a mall, and an automated system in a nuclear power facility. The odds of a hacker being motivated to access and compromise the conveyor belt are low, and the damage from a successful breach are limited to material loss and downtime. The escalator, on the other hand, transports people — a hacker might be more motivated to disrupt that system and injuries or even loss of life could result. Of course, the nuclear power facility would be an attractive target for cybercrime and the threats to human life and the environment are enormous should a disruption occur.

There are a number of existing frameworks that may be considered to analyze and quantify ICS risks, including the NIST RMF (Risk Management Framework), OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) and TARA (Threat Assessment and Remediation Analysis). A framework provides a uniform process for identifying threats and vulnerabilities and reviewing them against a particular ICS component in a particular context. Values can then be assigned based upon the likelihood and impact of a particular risk, as well as the effect of remediation, so organizations can prioritize their mitigation activities.

Be aware that while risk management frameworks can bring a structured process to identify and quantify risks, they often come with their own set of challenges. They can be complex, time consuming and cumbersome to set up. A considerable amount of training may be required along with buy-in from the participating groups.

Identity and access management also plays a critical role in mitigating risks in ICS/SCADA environments. Who has logical access to a component or system? Who has physical access to the facility? What level of privileges do those users have? What controls are in place to authenticate user credentials? In order to effectively evaluate risk, organizations need to be asking these questions about their ICS/SCADA environments, particularly as more components and systems can be access remotely via the Internet or wireless network protocols. A defined identity governance approach that incorporates roles and privilege management can not only increase the level of accountability but can also act as an early warning of improper assignment of privileges and separation of duty violations.

Connected systems are more manageable and flexible than legacy infrastructure, and can react more quickly to critical situations. However, cybercriminals can gain access to Internet-connected ICS components if strong authentication and security controls are not in place. Organizations should be implementing procedures for assessing ICS risk and enhancing the security of critical infrastructure.


Arun Kothanath, Chief Security Strategist for DIT, presented on “Contextual Risk Assessment of Industrial Control Systems: A Practical Approach,” at RSA Charge in New Orleans, Oct. 27.

Leave a Comment