Instead of trying to guess the risk of cyber attacks, companies should view their industrial assets like an unlocked car — and simply focus on stopping attacks from occurring in the first place.
Part of my job is to evangelize the need for cyber security solutions to protect industrial control systems (ICS). In many instances, when I meet with executives from companies who own or operate industrial technology, they are already aware that their control systems are at risk from cyber attacks.
As it turns out, the challenge for most executives is not lack of industrial control systems cyber risk awareness, but rather how to quantify cyber risk in a way that enables investment in effective mitigation.
A recurring theme I often hear is that the challenge for operational technology (OT) security in quantifying risk, is in estimating the probability of an attack. After all, common risk assessment methodologies such as measuring an annual loss expectancy (ALE), requires us to first determine a rate of occurrence, i.e. a probability. But in many cases we are trying to measure uncertainty of unknown events. This leads me to the following questions: How can threat events be modeled in this manner when many catastrophic scenarios assume outlier occurrences? Can we even be sure that our probability assessments are correct within several orders of magnitude? For example, is it a one-in-million or one-in-a-billion chance that your industrial assets may be victims of the next targeted attack, insider threat, or accidental cyber event?
What if instead of taking a threat-centric approach to assessing risk, we instead view cyber risk from a vulnerability-centric lens? To draw an analogy, let’s take the risk of your car being burglarized while parked. A vulnerability-centric approach says to lock the doors to prevent an intrusion, and to turn on the alarm system to deter a potential break-in. The “vulnerability” itself is the unlocked door. A threat-centric view looks at the probability of theft in the local area. If one lived in a high crime area, locking the doors would be standard practice. If one lived in Mayberry with a near-zero crime rate, one might feel confident than an unlocked car would not be at risk of a burglary.
However, even in Mayberry, there may be unknown future events that are unpredictable, such as the town hosting a sporting event, carnival or festival that invites strangers to the area; or perhaps a group of tourists passing through town who may be less trustworthy than the local resident. When we drive our cars on vacation, we don’t perform a risk assessment of each new area in order to make a decision on whether to lock our doors or not. Instead, we ensure that we protect against obvious vulnerabilities, regardless of the actual risk, by simply locking the doors and turning on the alarm.
In many ways, OT environments vulnerable to cyber attacks are like unlocked cars residing in Mayberry. The assumption is that being air-gapped means the OT assets reside in a safe local area (e.g. “we are air-gapped, therefore, we have minimal risk”). But the convergence of IT into OT environments, and the prevalence of laptops and mobile devices entering the OT network (perhaps unintentionally) introduce unknown, but non-zero cyber risk. Trying to measure this unknown risk from a threat-centric perspective is very difficult. Instead, what if we simply looked at how to protect industrial assets against known vulnerabilities, regardless of the actual risk, like the unlocked car?
If we could simply block attempted attacks from occurring in the first place, we can have assurance that a cyber event in the OT environment would not disrupt our cyber-physical systems. As long as executives recognize that their industrial cyber risk is greater than zero, taking a vulnerability-centric approach to risk analysis can simplify the decision on when and how to protect industrial assets.