The assets within the established scope should be identified and valuated, and their dependencies should be extracted.
The dependency among various assets can be different in each cybersecurity criterion. Asset dependency is one of the parameters in calculating the asset value. By accumulating the asset values, while considering the dependencies, we can calculate the value of cyber assets. As a rule of thumb, cyber assets with more dependency on them have higher asset value.
Identify potential threat events and the threat actors that could initiate the events.
The threat actors may have different levels of capabilities, which affect the likelihood of their success in potential cyber attacks. We can classify them in qualitative or semi-qualitative ways.
Threat events can be classified based on many factors, such as the attack technique, vulnerability type, effect on cyber assets, etc.
Existing and planned controls should be identified along with the assets they protect.
Existing controls should be identified to understand the span and type of cybersecurity coverage there is for assets and to avoid unnecessary work or costs. Control effectiveness should be checked to understand what kind of protection is in place.
Identify vulnerabilities that can be exploited by threat sources and the predisposing conditions that affect the likelihood of threat events that, despite existing cybersecurity controls, can cause harm to the identified assets.
Vulnerabilities can be related to asset properties and the deviation in asset use from its originally intended use.
Vulnerabilities typically appear in:
- organizational information and control systems
- processes and procedures
- management routines
- physical environment
- network environment
- system configurations
- hardware, software or communications equipment
- cybersecurity control systems
- dependence on external parties
The consequences and potential incident scenarios of successful threat events should be identified.
The impact of a successful threat event can be permanent, temporary or can have other behaviours over time. The impact of these consequences can arise from different natures, e.g., financial, safety, environmental, reputation, etc.
The operational consequence of incident scenarios can be identified in terms of, but are not limited to:
- Health and safety
- Financial cost
- Regulatory enforcement
- Time lost
- Opportunity lost
- Skill lost or needs to recover
- Reputation lost
The likelihood of the incident scenarios that are identified based on the impact criteria should be calculated.
A three-step process to determine the likelihood of incident scenarios needs to be performed:
- Analyze the likelihood that threat events will be initiated by the threat source, which could be a natural cause, a cyber attacker, etc. This may involve cost-benefit analysis from the threat source perspective.
- Analyze the likelihood of the threat event happening and causing different incident scenarios, despite the existence of cybersecurity controls.
- Analyze the likelihood of incident scenarios successfully causing the impact that is identified in the impact criteria.
Determine cybersecurity risks from threat events, while considering the impact and likelihood of the events.
Using the values assigned to the likelihood and impact of an incident scenario, the risk assessment assigns value to the identified risk, which has a place on the risk matrix. Each estimated risk is a combination of one or multiple incident scenarios, their likelihood and impact. Some related minor risks can be aggregated to form fewer major risks.
An IACS cybersecurity risk assessment indicates the status of risks to the operational environment at the time of the assessment. In order to have up-to-date visibility over the current risk posture of the environment, the organization should perform risk assessments on a regular basis and when a major change occurs, throughout the risk management life cycle, and across all organizational tiers.