OT Risk Assessment


Now that the frequency of cyberattacks on Operational Technology (OT) is increasing, securing your organization's OT environment is more important than ever. Adversaries use various methods to infiltrate networks and cause all kinds of financial damages: either directly by halting or slowing down production or indirectly through stealing and selling your organization’s trade secrets. To reduce the chances of a cyberattack, possible countermeasures must be identified and implemented. Not, or incorrectly, implementing these countermeasures is a risk for your organization.


Discover more about OT Risk Assessment:

  1. Why would you do a risk assessment?
  2. Why is an OT-tailored risk assessment necessary?
  3. What does an OT risk assessment involve?
  4. The QAROT methodology
  5. The results of an assessment
OT Risk Assessment Banner

Why conduct a risk assessment?


A cyber risk assessment assists in structurally determining which cyber risks are present in your environment. It is possible to understand the effectiveness of (existing) countermeasures only after explicitly identifying these risks. This, in turn, makes it possible to reason about new countermeasures, if they are needed, and their potential effectiveness. Furthermore, assessing the severity of the identified risks enables deciding on and prioritizing countermeasures and making an informed decision if the costs of implementing them weigh up against the potential consequences. Moreover, performing a risk assessment will create a complete overview of the strengths and weaknesses of your organization. This overview can, in turn, be used to improve preparedness during a cyberattack or prevent one by addressing the identified weaknesses.


Why is an OT-tailored risk assessment necessary?

Industrial - Electricity - OT Cybersecurity

As opposed to IT, risks in OT environments do not only affect the confidentiality, integrity, and availability of data or processes but can also impact the facilities' reliability, performance, and safety. Furthermore, the different types of Industrial Control Systems (ICS), such as PLCs, DCSs, and SCADA systems, require unique attention as they are the backbone of any OT environment. To correctly assess risks and propose countermeasures in such environments, these differences should be considered.

What does an OT risk assessment involve?


Secura uses its own proprietary asset-driven risk assessment methodology named “Quantitatively Assessing Risk in Operational Technology” (QAROT). This methodology complies with IEC 62443-3-2 and incorporates the strengths of MITRE’s ATT&CK for ICS and ISO 31010. Combining these standards enables us to do risk assessments beyond just compliance. Together with our clients, we define the IEC 62443-3-2-required target security levels, on which we systematically base the assessment objectives. QAROT incorporates other standards from the IEC 62443 family, such as -3-3 and -4-2, to give coherent and actionable advice based on the fundamental security requirements that these standards describe. Furthermore, QAROT uses Secura’s publicly available Operational Technology Cyber Attack Database (OTCAD) when establishing the severity of identified risks.

Industrial - Water Management - OT Cybersecurity

The QAROT methodology

QAROT uses a top-down approach to identifying and assessing risks: it derives applicable countermeasures by considering all assets within an OT environment. These countermeasures are based on ATT&CK for ICS and are combined with IEC 62443-3-3 and -4-2 to objectively assess their implementation and effectiveness within the system under consideration. This combination allows Secura to structurally identify potential shortcomings and the risks that they pose. The assessment starts by creating a zone & conduit diagram based on the organization’s network drawings and asset inventory. The diagram contents are discussed together with the client during a workshop to ensure that they correctly represent the assessed environment. In consecutive workshops, we determine together with our client the impact of possible adversary goals, and we establish the achieved security levels of an existing asset- and zone/conduit-based countermeasures.

The result of an OT Risk Assessment


For each of the shortcomings identified during these workshops, Secura will provide tailored and actionable advice on how to address them. Through QAROT’s proprietary calculations, the identified risks are quantitatively scored and ranked, which helps in the comparison and prioritization. Moreover, using IEC 62443’s fundamental requirements, the sufficiently implemented mitigations are categorized so the client can quickly see compliance within different cybersecurity areas. We deliver these overviews, the identified risks, including our recommendations, and a follow-up plan in a report which we will present in a close-out meeting.

Interested in an OT Risk Assessment at your company?


We are happy to discuss how we can help you the best. You can contact us via the contact form, by telephone at +31 (0) 88 888 31 00, or by email at info@secura.com.

Fact sheets

OT Risk Assessment

Determine which cyber risks are present in your OT environment.

Download fact sheet file_download

IEC 62443 Series of Standards

IEC 62443 Series of Standards
General
62443-1-1

Concept and Models

Defines the terminology, concepts, and models for Industrial Automation and Control Systems (IACS) security, which are used throughout the series. In particular, the seven foundation requirements (FRs) are defined.
62443-1-2
Master Glossary of terms and abbreviations
Includes the definition of terms and acronyms used in the IEC 62443 standards.
62443-1-3
System Security Conformance Metrics
This document defines the high-priority system cybersecurity conformance metrics for an industrial automation and control system. (Draft)
Policies & Procedures
62443-2-1
Establishing an IACS Security Program
Specified asset owner security program requirements for an IACS and provides guidance on how to develop and evolve the security program. The elements of an IACS security program described in this standard define required security capabilities that apply to the secure operation of an IACS and are mostly policy, procedure, practice, and personnel-related
62443-2-2
IACS Protection levels
Specified a framework and methodology for evaluation of the protection of an IACS based on the notion of (technical) security level and the maturity of the connected processes. The concept of protection level is a security rating of the combination of technical and organizational measures and defines an indicator of the comprehensiveness of the security program. (Draft)
62443-2-3
Patch management in the IACS environment
Defines the patch management in the IACS environment. Specifically, it provides a defined format for the exchange of information about security patches from asset owners to product suppliers.
62443-2-4
Requirements for IACS service providers
Specifies requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an automation solution.
62443-2-5
Implementation guidance for IACS asset owners
Provide guidance to asset owners for the implementation of a Cyber Security Management System (CSMS) in an IACS. (Draft)
System
62443-3-1
Security Technologies for IACS
Provides a current assessment of various cybersecurity tools, mitigation countermeasures, and technologies that may effectively apply to the modern electronically based IACSs.
62443-3-2
Security Risk Assessment and system design
Establishes requirements for risk assessments and partitions an IACS into zones and conduits. It also includes the requirements for detailed risk assessments of each zone and conduit, and for assigning Security Level targets (SL-Ts) on threat and risk.
62443-3-3
System security requirements and security levels
Provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs), including defining the requirements for control system capability security levels.
Components
62443-4-1

Secure product development lifecycle requirements

Specifies process requirements for the secure development of products used in industrial automation and control systems. It defines a secure development lifecycle for the purpose of developing and maintaining secure products.
62443-4-2
Technical security requirements for IACS components
Specified the cyber security technical requirements for components, such as embedded devices, network components, host components, and software applications.
Secura Contact Shape
Partners of Secura

Cybersecurity is more than technology alone. Secura collaborates with partners in compliance and risk management, integrated application security, privacy, IT- and internet law and certification.