Risk v Compliance? What works in an ICS Domain?

A quick overview of two industry methods to understand, map, and mitigate, cyber risks for your industrial control system (ICS) network domain.

So you have just been advised there will be a cyber security uplift program for your ICS domain.

Why do we need to do this now?

We're too busy just keeping the lights on and don't have time to figure out "Cyber".

You are Air Gapped.

You have a Firewall and antivirus.

"Mate, what could bloody go wrong?"

Those are all great questions, and unless you have conducted a Cyber uplift program before in ICS sites, the answers to those questions provide more insight then you realise. Why? Because to understand the INTENT and CAUSE of the cyber program, more than often, will dictate the approach that should be applied, that is, a RISK versus Compliance Approach.

During my time working within Fortune 100 companies and Cyber Security Start Ups that specifically drove the adoption of Cyber programs, deployed across more than hundreds of sites here in Australia and globally, defining the Risk v Compliance approach is THE ANSWER to the leading question of Cyber Program INTENT.

Intent and Cause, and likely Effect

To break down the logic, the two differing approaches are:

Risk Based Assessment: Where an organisation understands Risk Metrics, whether "borrowed" from the IT Department, or led by a previous Risk Management Program, that now needs to flow down into the ICS domain. This is commonly defined to Assess and Identify Gaps (how are the Bad Actors going to get into our system where could they do serious damage) and the Remediation and Mitigation steps to implement so you are at an acceptable level of risk you are prepared to cop (what can we do to stop the bad guys, and if we can't, can we still operate business as usual).

Compliance: When your organisation is one of the eleven critical sectors as defined by DHA CISC and therefore, may have enhanced Obligations to Comply to SOCI (more on this in another post). Where this specific legal obligation mandates you ACT within 6 to 18 months (that is, 6 months commencing from Feb 2023 with a 12 month grace period AND with annual reporting required), adherence to the Critical Infrastructure Risk Management Program or CIRMP, means you need to adopt an acceptable Cyber Industry Standard to be used as a ruler to measure your Risk Level: Are you Bad, Good, Best using that specific metric of measurement?

Hint: CIRMP is also about Organisational Resilience as per below.

Fig 1.1 Sample of Organisational Health Check from DHA Organisational Resilience Site:

So you know which approach to use huh?

Step two, now what? Who do you call? Who do you TRUST? How long will this take and how much and when, and where and... wait, no How and Why? Hint-read Intent and Cause again.

For the most part, you probably have a dominant ICS vendor across your sites.

Whether this be GE, Honeywell, Rockwell, Schneider, Siemens, Yokogawa etc. But did you know, most of these ICS Vendors have their own Cyber Risk Assessment Program you can leverage to conduct an ICS Network and Cyber Assessment?

Speaking from experience with one of those major ICS Vendors, the Cyber Vulnerability Security Assessment (CVSA) and Network Assessment, is a perfect place to start for a Risk Based Approach. Use Case #1: Client Gap Assessment from an existing 'Policy' to "Assess" against an Industry Cyber Standard such as IEC62443 that leads to further physical onsite assessments (Risks, Threats, Vulnerabilities etc) to Define and Implement Cyber Controls. The onsite CVSA is the key here. Uncovering risks by way of inherent vulnerabilities in a server's operating system, unpatched machines (commonly Windows operating systems and applications for virtualisation), other cyber equipment such as firewalls and AV, that all reside within the process control network (think L1 to L3.5), is reported and remediation work actioned: Patch Windows/VM machines, update AV Sig files, Remove/Add Firewall Rules, Update Network Switch OS/Patch or even swap out for newer hardware for enhanced functionality/reduced operational risk.

Get a Quote, let Legal bash it around for weeks on end, Sign and Next. Easy right?

ps. Did you also see the magical link to Compliance metrics as well?

But what if you are concerned your other ICS vendors will miss out on all this fun.

No problemo!

Your IT dept has a mate who installed the Firewalls in the corporate office as well as the Email Filtering solution which has stopped that friendly Nigerian Banker wanting to transfer $10M USD to your bank account. You just need to click to link and automatically commence the transfer. Woops.

The reality is, your IT Dept Team has probably crossed this pesky "Compliance" bridge before for the IT Domain. Their existing trusted Supplier can happily extend a Consulting engagement for a Compliance Report (or the creation of a Compliance Program that is Fit for Purpose) for your ICS Domain.

What did you say? Meet at the pub over lunch at 2pm to discuss the details. Done.

Use Case #2: For any Compliance based assessment, especially for the ICS domain, ensure ANY supplier you choose, has done this type of work before specific to ICS. Not Email or Web Servers, not SAP or Oracle of other Applications, or under any other fancy GRC abbreviation. You need experienced operators that understand the ICS domain has a Zero Tolerance Policy.

Zero downtime.

Zero Seconds, Minutes, Hours and heaven's forbid, Days.

So after you have given your left arm and right leg for the paper Compliance work; NISTCSF, IEC62443, AESCSF, etc (guess it wasn't a free pub lunch after all), the cyber tools need to come out and play to collect actual data from your physical ICS site to identify and map existing Vulnerabilities and Threats. In my view, if this latter exercise is not done, the path to a Compliance model telling you what Cyber Standard you should adopt and implement, well, you only have one arm and leg now to show for it....

Afterthoughts: for many that have undertaken these steps before, hindsight is 20/20. Where possible, choose a Cyber Industry Standard that (just) might work for BOTH your IT and ICS Domain. Why you ask and did I just hear another pub lunch meeting to discuss more?

Because the more harmonised your sites can operate under, as in, fewer Cyber Standards, the LESS tools you will need to deploy, monitor, measure to track your Compliance and Risk Program against Cyber Standards and Risk Metrics. The last thing you want is significant technical debt of different Cyber Tools from different Vendors, that in a few years, your budgets are cut, the market returns to everyone wearing masks, and you need to stop renewing 50% of your Cyber tools to make the CFO happy.

TIP: That might be a good time to ask the CFO which system they are OK with to not be operational for 25 days when ransomware hits... better yet, ask that question now whilst your amazing report that shows green ticks for either Risk or Compliance Assessments is gently put on their desk.