Risk Assessment, Risk Mitigation, and Risk Lifecycle Processes

Risk assessment, risk mitigation, and lifecycle continuous update of processes are fundamental methodologies for providing security. Using business requirements (financial, brand, operation, societal) as inputs, thanks to proven methodologies defined in international standards that are applicable for OT environments, organizations can determine security risk exposure, select and apply appropriate security measures, follow them closely and update them when needed, in a continuous improvement process.

Risk assessment involves both objective and subjective analyses. There are many risk assessment methods and guidelines that can be used to identify the risks in the OT environment. The choice of which risk assessment method to apply to different situations and environments could be quite challenging, depending on different constraints in different organizations, such as national regulations, time constraints, and executive directives.

There is also no single or perfect way for mitigating risks. In the OT environment, the principles chosen for addressing risk mitigation must absolutely integrate the operational constraints of the systems in order to take into account personal safety, to provide protection of physical assets, and to ensure the required performance of these systems.

For the best risk assessment process, it is key to integrate the experts of each utility domain directly as part of the cyber security team, not only as contributors to risk mitigation methods, but also as contributors to risk assessment lifecycle updates.

A risk can be described as a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event.

  • Consequences may include safety, financial, environmental, societal, etc. of an event (e.g. failed process, loss of information, personnel harm)
  • Risks should be identified, quantified or qualitatively described, and prioritized against risk criteria and objectives relevant to the organization.

Risk assessment should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. The results should guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. Risk assessment should include:

  • The systematic approach of estimating the magnitude of risks (risk analysis);
  • The process of comparing the estimated risks against risk criteria to determine the significance of the risks (risk evaluation).

The key steps of any risk assessment method include:

  • Collect the high-level business and regulatory requirements that apply to the OT environment, and identify the impacts (safety, economics, operational) if the requirements are not met.
  • Choose the risk assessment method, based on organizational requirements and constraints
  • Choose the scope of the risk assessment to be performed, based on the boundaries of the targeted systems, including not only the systems internal to the boundaries, but also the interfaces with other OT and non-OT systems.

Threats can be associated with physical equipment, information, processes, interactions, configurations, and other assets.

Risk mitigation involves balancing the risk against the mitigation costs for reducing that risk to an acceptable level. Internal security policies must determine what are acceptable risks. Risk mitigation may involve an update to the risk assessment to ensure that the risks are indeed acceptable, particularly if many changes have been made as part of risk mitigation.

Apply security controls to mitigate the risks that were identified:

  • Security control solutions may consist of organizational measures, processes, and/or technologies that are implemented in the systems.
  • The efficacy of the security control solutions could be assessed to determine if they have actually mitigated the risk acceptably.
  • These security control solutions could include both cyber security measures as well as power engineering measures (procedures, technologies, and/or real-time operations).

Once the risk assessment has been completed and the risk mitigation control solutions have been selected, these solutions are implement on the systems.

  • Verify over time that the applied controls have been applied correctly and really provide the expected mitigations.
  • Include an assurance process, such as an audit, possibly by a different group.

Determine what actual control implementations (i.e. which specific procedures and/or technologies and/or commercial products) should be applied for each type of security control.

  • Some security control solutions may not be able to be implemented in some systems, particularly for legacy systems (e.g. anti-virus applications or secure patching procedures).
  • Constraints on these control solutions should be identified, given the variety of issues associated with diverse OT environments, such as different constraints in a substation environment (long times between the ability to patch systems) or a DER environment (poor on-site security knowledge).

Over time, all of these control solutions should be monitored to ensure that they are continuing to be effective or if possible attacks have potentially overcome the control solutions.

  • In all cases, possible security events identified by this monitoring should be sent to a central CERT site.
  • The CERT should be capable of filtering and assessing the importance of any security event or sequence of security events.