OT Risk Assessment
> Services to improve your processes > OT Risk Assessment
Securing your OT environment
Now that the frequency of cyberattacks on Operational Technology (OT) is increasing, securing your organization's OT environment is more important than ever. Adversaries use various methods to infiltrate networks and cause all kinds of financial damages: either directly by halting or slowing down production or indirectly through stealing and selling your organization’s trade secrets.
To reduce the chances of a cyberattack, possible countermeasures must be identified and implemented. Not, or incorrectly, implementing these countermeasures is a risk for your organization.
Why conduct a risk assessment?
A cyber risk assessment assists in structurally determining which cyber risks are present in your environment. It is possible to understand the effectiveness of (existing) countermeasures only after explicitly identifying these risks. This, in turn, makes it possible to reason about new countermeasures, if they are needed, and their potential effectiveness.
Furthermore, assessing the severity of the identified risks enables deciding on and prioritizing countermeasures and making an informed decision if the costs of implementing them weigh up against the potential consequences. Moreover, performing a risk assessment will create a complete overview of the strengths and weaknesses of your organization. This overview can, in turn, be used to improve preparedness during a cyberattack or prevent one by addressing the identified weaknesses.
Why is an OT-tailored risk assessment necessary?
As opposed to IT, risks in OT environments do not only affect the confidentiality, integrity, and availability of data or processes but can also impact the facilities' reliability, performance, and safety. Furthermore, the different types of Industrial Control Systems (ICS), such as PLCs, DCSs, and SCADA systems, require unique attention as they are the backbone of any OT environment. To correctly assess risks and propose countermeasures in such environments, these differences should be considered.
What does an OT risk assessment involve?
Secura uses its own proprietary asset-driven risk assessment methodology named “Quantitatively Assessing Risk in Operational Technology” (QAROT). This methodology complies with IEC 62443-3-2 and incorporates the strengths of MITRE’s ATT&CK for ICS and ISO 31010. Combining these standards enables us to do risk assessments beyond just compliance. Together with our clients, we define the IEC 62443-3-2-required target security levels, on which we systematically base the assessment objectives.
QAROT incorporates other standards from the IEC 62443 family, such as -3-3 and -4-2, to give coherent and actionable advice based on the fundamental security requirements that these standards describe. Furthermore, QAROT uses Secura’s publicly available Operational Technology Cyber Attack Database (OTCAD) when establishing the severity of identified risks.
The QAROT methodology
QAROT uses a top-down approach to identifying and assessing risks: it derives applicable countermeasures by considering all assets within an OT environment. These countermeasures are based on ATT&CK for ICS and are combined with IEC 62443-3-3 and -4-2 to objectively assess their implementation and effectiveness within the system under consideration. This combination allows Secura to structurally identify potential shortcomings and the risks that they pose.
The assessment starts by creating a zone & conduit diagram based on the organization’s network drawings and asset inventory. The diagram contents are discussed together with the client during a workshop to ensure that they correctly represent the assessed environment. In consecutive workshops, we determine together with our client the impact of possible adversary goals, and we establish the achieved security levels of an existing asset- and zone/conduit-based countermeasures.
The result of an OT Risk Assessment
For each of the shortcomings identified during these workshops, Secura will provide tailored and actionable advice on how to address them. Through QAROT’s proprietary calculations, the identified risks are quantitatively scored and ranked, which helps in the comparison and prioritization. Moreover, using IEC 62443’s fundamental requirements, the sufficiently implemented mitigations are categorized so the client can quickly see compliance within different cybersecurity areas. We deliver these overviews, the identified risks, including our recommendations, and a follow-up plan in a report which we will present in a close-out meeting.
Download Fact Sheet
Interested in an OT Risk Assessment at your company?
Would you like to learn more about Secura's OT Risk Assessment? Please fill out the form below, and we will contact you within one business day.
IEC 62443 Series of Standards
General |
62443-1-1 Concept and Models |
Defines the terminology, concepts, and models for Industrial Automation and Control Systems (IACS) security, which are used throughout the series. In particular, the seven foundation requirements (FRs) are defined. |
62443-1-2 Master Glossary of terms and abbreviations |
Includes the definition of terms and acronyms used in the IEC 62443 standards. |
|
62443-1-3 System Security Conformance Metrics |
This document defines the high-priority system cybersecurity conformance metrics for an industrial automation and control system. |
|
Policies & Procedures |
62443-2-1 Establishing an IACS Security Program |
Specified asset owner security program requirements for an IACS and provides guidance on how to develop and evolve the security program. The elements of an IACS security program described in this standard define required security capabilities that apply to the secure operation of an IACS and are mostly policy, procedure, practice, and personnel-related |
62443-2-2 IACS Protection levels |
Specified a framework and methodology for evaluation of the protection of an IACS based on the notion of (technical) security level and the maturity of the connected processes. The concept of protection level is a security rating of the combination of technical and organizational measures and defines an indicator of the comprehensiveness of the security program. |
|
62443-2-3 Patch management in the IACS environment |
Defines the patch management in the IACS environment. Specifically, it provides a defined format for the exchange of information about security patches from asset owners to product suppliers. |
|
62443-2-4 Requirements for IACS service providers |
Specifies requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an automation solution. |
|
62443-2-5 Implementation guidance for IACS asset owners |
Provide guidance to asset owners for the implementation of a Cyber Security Management System (CSMS) in an IACS. |
|
System |
62443-3-1 Security Technologies for IACS |
Provides a current assessment of various cybersecurity tools, mitigation countermeasures, and technologies that may effectively apply to the modern electronically based IACSs. |
62443-3-2 Security Risk Assessment and system design |
Establishes requirements for risk assessments and partitions an IACS into zones and conduits. It also includes the requirements for detailed risk assessments of each zone and conduit, and for assigning Security Level targets (SL-Ts) on threat and risk. |
|
62443-3-3 System security requirements and security levels |
Provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs), including defining the requirements for control system capability security levels. |
|
Components |
62443-4-1 Secure product development lifecycle requirements |
Specifies process requirements for the secure development of products used in industrial automation and control systems. It defines a secure development lifecycle for the purpose of developing and maintaining secure products. |
62443-4-2 Technical security requirements for IACS components |
Specified the cyber security technical requirements for components, such as embedded devices, network components, host components, and software applications. |
Related Services
Design Review
Threat Modeling Training
In the Threat Modeling Training, you will learn how to get a broad picture of potential risks using the STRIDE methodology. This works both for existing systems and new designs.
Why choose Secura | Bureau Veritas
At Secura/Bureau Veritas, we are dedicated to being your trusted partner in cybersecurity. We go beyond quick fixes and isolated services. Our integrated approach makes sure that every aspect of your company or organization is cyber resilient, from your technology to your processes and your people.
Secura is the cybersecurity division of Bureau Veritas, specialized in testing, inspection and certification. Bureau Veritas was founded in 1828, has over 80.000 employees and is active in 140 countries.