Risk Assessment, Risk Mitigation, and Risk Lifecycle Processes
Risk assessment, risk mitigation, and lifecycle continuous update of processes are fundamental methodologies for providing security. Using business requirements (financial, brand, operation, societal) as inputs, thanks to proven methodologies defined in international standards that are applicable for OT environments, organizations can determine security risk exposure, select and apply appropriate security measures, follow them closely and update them when needed, in a continuous improvement process.
Risk assessment involves both objective and subjective analyses. There are many risk assessment methods and guidelines that can be used to identify the risks in the OT environment. The choice of which risk assessment method to apply to different situations and environments could be quite challenging, depending on different constraints in different organizations, such as national regulations, time constraints, and executive directives.
There is also no single or perfect way for mitigating risks. In the OT environment, the principles chosen for addressing risk mitigation must absolutely integrate the operational constraints of the systems in order to take into account personal safety, to provide protection of physical assets, and to ensure the required performance of these systems.
For the best risk assessment process, it is key to integrate the experts of each utility domain directly as part of the cyber security team, not only as contributors to risk mitigation methods, but also as contributors to risk assessment lifecycle updates.
A risk can be described as a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event.
Risk assessment should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. The results should guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. Risk assessment should include:
The key steps of any risk assessment method include:
Threats can be associated with physical equipment, information, processes, interactions, configurations, and other assets.
Risk mitigation involves balancing the risk against the mitigation costs for reducing that risk to an acceptable level. Internal security policies must determine what are acceptable risks. Risk mitigation may involve an update to the risk assessment to ensure that the risks are indeed acceptable, particularly if many changes have been made as part of risk mitigation.
Apply security controls to mitigate the risks that were identified:
Once the risk assessment has been completed and the risk mitigation control solutions have been selected, these solutions are implement on the systems.
Determine what actual control implementations (i.e. which specific procedures and/or technologies and/or commercial products) should be applied for each type of security control.
Over time, all of these control solutions should be monitored to ensure that they are continuing to be effective or if possible attacks have potentially overcome the control solutions.