Risk Assessment for Process Control
Risk assessment for process control must consider both cybersecurity and operational safety impacts.
OT Risk Focus
Unlike IT risk assessments that prioritize confidentiality, OT risk focuses on:
- Availability: Can the system continue operating?
- Safety: Could compromise cause physical harm?
- Environmental impact: Potential for environmental damage?
- Equipment damage: Risk of expensive equipment destruction?
- Service reliability: Impact on customers and grid stability?
ISO 27019 Risk Formula
Risk = Threat × Vulnerability × Consequence
- Threat: Likelihood of attack or incident
- Vulnerability: Exploitable weaknesses
- Consequence: Operational, safety, and business impact
Risk Assessment Process
1. Define Scope and Objectives
- Which OT systems are in scope?
- What are we trying to protect (assets, processes)?
- What regulations apply?
- What is acceptable risk level?
2. Asset Identification
Use asset inventory from previous lesson:
- Critical control systems
- Safety systems
- Field devices
- Network infrastructure
- Supporting IT systems
3. Threat Identification
Energy sector specific threats:
- Nation-state actors: Targeting critical infrastructure
- Cybercriminals: Ransomware and extortion
- Hacktivists: Ideologically motivated disruption
- Insiders: Malicious or negligent employees/contractors
- Accidents: Unintentional misconfigurations or failures
4. Vulnerability Assessment
Identify weaknesses:
- Technical: Unpatched systems, weak authentication, poor segmentation
- Procedural: Weak change control, poor vendor management
- Architectural: Flat networks, no DMZ, internet-connected OT
5. Consequence Analysis
What happens if exploited:
- Safety impact: Worker safety, public safety, environmental
- Operational impact: Downtime, degraded operations, manual control
- Equipment impact: Damaged transformers, generators, transmission equipment
- Financial impact: Lost revenue, repair costs, regulatory fines
- Compliance impact: Violation of NERC CIP or other regulations
6. Likelihood Assessment
How probable is exploitation:
- Threat actor capability and motivation
- Ease of exploiting vulnerability
- Existing controls reducing likelihood
- Historical precedent (has it happened before?)
7. Risk Calculation and Prioritization
Determine risk level and priority:
- Combine likelihood and consequence
- Use risk matrix for consistent scoring
- Prioritize high risks for treatment
- Document all identified risks
Example Risk Scenarios
High Risk: Ransomware Spread to OT
- Threat: Cybercriminals targeting energy company
- Vulnerability: Weak IT/OT network segmentation, shared credentials
- Consequence: Control system encryption, forced outage, customer impact
- Mitigation: Network segmentation, separate credentials, application whitelisting
High Risk: Compromised Vendor Access
- Threat: Nation-state compromise of vendor credentials
- Vulnerability: Vendor VPN with weak authentication, excessive access
- Consequence: Persistent access to control systems, data exfiltration, future attack staging
- Mitigation: MFA for vendor access, just-in-time access, session monitoring
Medium Risk: Insider Sabotage
- Threat: Disgruntled employee with system access
- Vulnerability: Excessive privileges, minimal monitoring, weak change control
- Consequence: Unauthorized configuration changes, system disruption
- Mitigation: Least privilege, dual authorization for critical changes, comprehensive logging
Safety Integration
Coordinate with existing safety processes:
- PHA (Process Hazard Analysis): Identify cyber-physical scenarios
- HAZOP (Hazard and Operability Study): Consider cyber as initiating event
- FMEA (Failure Modes and Effects Analysis): Include cyber-induced failures
- Bow-Tie Analysis: Cyber threats as initiating events with security barriers
Risk Treatment Options
For each identified risk:
- Mitigate: Implement controls to reduce likelihood or impact
- Accept: Document acceptance if risk is tolerable
- Transfer: Insurance or contractual transfer (limited applicability for OT)
- Avoid: Eliminate the vulnerable system or process (rarely feasible)
Documentation
Risk Register
For each risk document:
- Risk ID and description
- Affected assets
- Threat and vulnerability
- Consequence scenario
- Likelihood and impact ratings
- Risk score
- Treatment plan
- Responsible owner
- Target completion date
- Status
Risk Treatment Plan
For mitigated risks:
- Specific controls to implement
- Implementation timeline
- Resource requirements
- Success criteria
- Residual risk after treatment
Next Lesson: Integrating cybersecurity with safety systems.