Blog

With cybersecurity incidents of water systems and pipelines filling the headlines it is easy to understand why the cybersecurity of your industrial control system matters. Knowing exactly where to begin managing cybersecurity can be more difficult. Luckily, whether you have never considered the cybersecurity of your system or are strengthening your existing solutions, the first step is the same: a Cybersecurity Assessment.

A Cybersecurity Assessment is a process of uncovering the cybersecurity vulnerabilities of a system and rating the risks that are related to those vulnerabilities. Assessments will vary widely depending on the system under consideration, the assessment team, and the needs of the managing organization. Yet there are some commonalities you will likely find with any assessment. Below we will lay out what you can generally expect from a Cybersecurity Assessment from the preparation and the onsite work, to the deliverables and the next steps.

Preparation

Before anyone arrives on location for the onsite portions of the assessment, there are some general preparation steps that can be expected for most assessments:

• Establishing the Team - Identify who will be on the assessment team, considering the following roles:
  • Assessment Team Lead
  • Assessment Engineer(s)
  • Plant/Site Manager
  • Controls/I&E Lead
  • Safety Lead
• Preparing Documents and Drawings - Locate any technical documents and drawings or diagrams that will help the assessment team better understand the system under consideration.
• Questionnaire - Answer a survey of questions to gain information about the system and policies and procedures of the organization.

Onsite

The onsite portion of the assessment, like the preparation work, is essentially an effort in information gathering. The technical work will vary widely depending on the scope of the system, but you will often find the following phases:

• Kick Off – The entire team will meet to review the objectives and schedule for the assessment.
• Site Tour - Site staff will show the assessment team the plant, control rooms, and networking rooms.
• Visual Inspection – The assessment team will perform a visual inspection of the networking and controls equipment.
• Asset Inventory – The details of all critical equipment including manufacturer, firmware, IP Address, and more will be documented.
• Network Scanning – The network will be passively scanned to discover devices, configurations, and potential vulnerabilities.
• Risk Assessment and Rating – Together with the entire team, the vulnerabilities and threats to the system will be identified, categorized, and rated.
• Report and Review – A report will be created and presented detailing all of the findings including vulnerabilities, risk assessment, asset inventory, and network diagrams.

Deliverables

When considering what you need to be getting out of your assessment, consider your needs and why you are conducting an assessment in the first place. You may have a regulatory requirement to produce a cybersecurity assessment report detailing the cybersecurity vulnerabilities of your system, or you may have a mandate to reduce certain risks over the next year. Consider these common deliverables you may want from an assessment:

• Vulnerability Report – A report detailing all discovered vulnerabilities of the system.
• Risk Assessment Report – A report detailing the risks (i.e., the likelihood and severity of potential incidents as they relate to system vulnerabilities).
• Mitigation Recommendations – A list of potential controls or strategies to mitigate the cyber risks to the system.
• Network Diagrams – Diagrams should detail your networked equipment and their corresponding security zones.
• Asset Inventory – A list detailing all critical equipment and their identifiable information.

Next Steps and the Cybersecurity Lifecycle

After an assessment is complete, you will want to make full use of the newfound information about your system. The assessment report will be the guide through the next phases of the cybersecurity lifecycle. The exact form of the cybersecurity lifecycle will vary between different sources (we recommend looking at the ISA/IEC 62443 standard and the NIST Framework for Cybersecurity), but they all generally present the same work. We choose to break the lifecycle into the following 4 phases:

• Assessment – The system will be holistically evaluated to uncover the cyber vulnerabilities and cyber risks to the system.
• Design – Using the risk analysis and proposed mitigations from an assessment, appropriate engineering controls and strategies will be chosen in order to reduce the cyber risk of the system.
• Implementation – The entire team will work together to install and configure the selected controls and strategies, minimizing disturbance to operations.
• Maintenance & Response – Even after solutions have been implemented the system will need to be monitored, maintained. Infrastructure, both controls and policies & procedures, will also need to be in place to better help the organization better respond to potential cybersecurity incidents.

Learn more about how DMC can help you manage the cybersecurity of your system and contact us today!