OT cyber risk assessment

This article will cover challenges to performing risk assessments in OT environments, building successful OT risk assessments, required outputs, unmitigated risk, and more.

When it comes to business planning, risk assessments are an important step for making informed decisions using facts. Decisions need to be aligned with the organisation's risk appetite and legal / regulatory requirements.

Challenges

  • Expertise Shortage: There is a significant lack of personnel with the necessary knowledge and skills to conduct cyber risk assessments in OT, which hinders the ability of organisations to carry out these assessments effectively.

  • Unique OT Environments: Unlike Information Technology (IT) environments that often share common characteristics, OT environments are usually unique, requiring multiple, distinct risk assessments, which adds to the resource burden.

  • Asset Inventory Issues: Many OT environments suffer from incomplete or inaccurate asset inventories, making it difficult to assess risks without a full understanding of the environment’s components. You can't protect what you can't see.

  • Differing IT/OT Focuses: There is a disparity between the focuses of IT and OT; IT prioritizes confidentiality, integrity, and availability, while OT emphasizes safety, reliability, and performance, necessitating a different approach to risk assessment.

Building OT cyber risk assessment

There are different approaches to conducting a risk assessment. For example you might want to:

  1. Base risk assessment on IEC 62443-3-2

  2. Create bespoke framework

  3. Third party experts

  4. Use existing IT cyber risk assessment

  5. Link risk assessment to pre-existing business risk assessment (BIA)

Consider factors such as level of detail, desired outcomes, and project context.

Risk assessment output

Now that you have your approach, plan out what the outcome should be and it's usefulness to different stakeholders, i.e. limit technical jargon for non technical stakeholders.

Potential business impact

Risk detail

Risk context

Risk location

Risk owner

Risk prioritisation

Risk classification

Risk treatment

Timescale

Timescale

Reassessment date

OT risks should be documented in an OT risk register for consistent documentation, tracking, and management. A mitigation plan would help the organisation continuously improve.

Risk tolerance

Organisations need a plan to treat risk to an acceptable residual tolerance. Some risks may be to accept the risk as-is, or mitigate it to a certain point (tolerance). Tolerance is usually influenced by budget, change frequency, and manufacturer.

Conducting a risk assessment

Preparing a consistent set of questions for internal assessments could help efficiency. Also using consistent processes to help identify trends and create baselines will be helpful.

The use of tools vary. I've mostly seen organisations use spreadsheets like Excel to do this, but with limitations such as poor scalability. Consider complex risk assessments / systems and trying to map out relationships such as threats, vulnerabilities, and risks.

This article has been written using a variety of sources from the internet and personal experience.

PreviousEnergy plant cyber simulationNextOT threat landscape

Last updated