In the world of cyber security, we talk a lot about “risk” – how to measure and reduce it. It’s often difficult for many organisations to quantify – how can you truly know the impact of a cyber incident and its potential cost to your business before it happens? In many ways, in the industrial sectors where operational technology is rife, you have a benefit over purely IT-utilising organisations.
An operational outage would be the most significant cost factor to your organisation in the face of a cyber attack. Costs have often been previously calculated to help inform business continuity and incident response planning or for insurance liability purposes, which have often been previously estimated.
Many efforts have been made to combine the world of cyber vulnerabilities with the costs of a cyber incident to prioritise mitigation strategies better. This is especially important where resources (like cyber security skills) are limited and budgets are constrained. This is incredibly demanding when identifying which vulnerabilities are relevant to you and whether your unique OT (Operational Technology) architecture makes their exploitability challenging (although our Dot™ solution can certainly help with both if you’re interested!).
Once a relevant vulnerability on one of your assets has been identified and the potential exploitability of that vulnerability within your environment has been understood, it’s time to consider the impact that exploiting that vulnerability would have on your organisation.
Broadly, I’d suggest splitting this into several factors;
-
- Safety—Could a cyber incident pose a physical risk to the human safety of your employees, customers, or the public?
-
- Environmental—Could a cyber attack impact the environment around the location of the impacted asset(s)?
-
- Reputational—How much damage could be done to your organisation’s reputation?
-
- Financial—What monetary impact would the organisation have if this asset malfunctioned or became unavailable?
It’s worth considering each of these factors’ severity on a scale from trivial to critical. The precise boundaries and measurements for each will vary from organisation to organisation based on the service or product they offer, the size of their client base, and the inherent risk involved in that process.
By combining these “SERF” risk factors with a likelihood of occurrence, we can have a lightweight measure that enables us to prioritise those risks with a high likelihood and impact across the four measures. The “SERF” factors are unlikely to change significantly from one vulnerability to another but are likely to hold true for an individual asset or group of assets as a system, further reducing our overheads for calculation and the need to interface in-depth cyber skills with business intelligence information often spread across several individuals or teams within an organisation frequently basis.
Using “SERF” and the possibility of their occurrence is just one method of measuring OT cyber risk, but one where the resources (e.g. skilled people and time) are not significantly taxed to come to a reasonable measure. Many more in-depth and more accurate measures have been researched, but they often require a considerable time commitment from several highly skilled and often in-demand individuals across an organisation to calculate – something that would be untenable for many organisations.
We’re always looking for new and exciting developments and feedback on what is (and isn’t) working well in OT cyber security. Whether you’ve successfully implemented an OT cyber risk management process or need further support, we’d love to hear from you!