OT Risk Assessment

> Services to improve your processes > OT Risk Assessment

Securing your OT environment

Now that the frequency of cyberattacks on Operational Technology (OT) is increasing, securing your organization's OT environment is more important than ever. Adversaries use various methods to infiltrate networks and cause all kinds of financial damages: either directly by halting or slowing down production or indirectly through stealing and selling your organization’s trade secrets.

To reduce the chances of a cyberattack, possible countermeasures must be identified and implemented. Not, or incorrectly, implementing these countermeasures is a risk for your organization.

Discover more about OT Risk Assessment

  1. Why would you do a risk assessment?
  2. Why is an OT-tailored risk assessment necessary?
  3. What does an OT risk assessment involve?
  4. The QAROT methodology
  5. The results of an assessment

Why conduct a risk assessment?

A cyber risk assessment assists in structurally determining which cyber risks are present in your environment. It is possible to understand the effectiveness of (existing) countermeasures only after explicitly identifying these risks. This, in turn, makes it possible to reason about new countermeasures, if they are needed, and their potential effectiveness.

Furthermore, assessing the severity of the identified risks enables deciding on and prioritizing countermeasures and making an informed decision if the costs of implementing them weigh up against the potential consequences. Moreover, performing a risk assessment will create a complete overview of the strengths and weaknesses of your organization. This overview can, in turn, be used to improve preparedness during a cyberattack or prevent one by addressing the identified weaknesses.

Why is an OT-tailored risk assessment necessary?

As opposed to IT, risks in OT environments do not only affect the confidentiality, integrity, and availability of data or processes but can also impact the facilities' reliability, performance, and safety. Furthermore, the different types of Industrial Control Systems (ICS), such as PLCs, DCSs, and SCADA systems, require unique attention as they are the backbone of any OT environment. To correctly assess risks and propose countermeasures in such environments, these differences should be considered.

What does an OT risk assessment involve?

Secura uses its own proprietary asset-driven risk assessment methodology named “Quantitatively Assessing Risk in Operational Technology” (QAROT). This methodology complies with IEC 62443-3-2 and incorporates the strengths of MITRE’s ATT&CK for ICS and ISO 31010. Combining these standards enables us to do risk assessments beyond just compliance. Together with our clients, we define the IEC 62443-3-2-required target security levels, on which we systematically base the assessment objectives.

QAROT incorporates other standards from the IEC 62443 family, such as -3-3 and -4-2, to give coherent and actionable advice based on the fundamental security requirements that these standards describe. Furthermore, QAROT uses Secura’s publicly available Operational Technology Cyber Attack Database (OTCAD) when establishing the severity of identified risks.

The QAROT methodology

QAROT uses a top-down approach to identifying and assessing risks: it derives applicable countermeasures by considering all assets within an OT environment. These countermeasures are based on ATT&CK for ICS and are combined with IEC 62443-3-3 and -4-2 to objectively assess their implementation and effectiveness within the system under consideration. This combination allows Secura to structurally identify potential shortcomings and the risks that they pose.

The assessment starts by creating a zone & conduit diagram based on the organization’s network drawings and asset inventory. The diagram contents are discussed together with the client during a workshop to ensure that they correctly represent the assessed environment. In consecutive workshops, we determine together with our client the impact of possible adversary goals, and we establish the achieved security levels of an existing asset- and zone/conduit-based countermeasures.

The result of an OT Risk Assessment

For each of the shortcomings identified during these workshops, Secura will provide tailored and actionable advice on how to address them. Through QAROT’s proprietary calculations, the identified risks are quantitatively scored and ranked, which helps in the comparison and prioritization. Moreover, using IEC 62443’s fundamental requirements, the sufficiently implemented mitigations are categorized so the client can quickly see compliance within different cybersecurity areas. We deliver these overviews, the identified risks, including our recommendations, and a follow-up plan in a report which we will present in a close-out meeting.

Download Fact Sheet

USP

OT Risk Assessment

Overview of our OT Risk Assessment Services

Download

Interested in an OT Risk Assessment at your company?

Would you like to learn more about Secura's OT Risk Assessment? Please fill out the form below, and we will contact you within one business day.

USP

IEC 62443 Series of Standards

General

62443-1-1 Concept and Models

Defines the terminology, concepts, and models for Industrial Automation and Control Systems (IACS) security, which are used throughout the series. In particular, the seven foundation requirements (FRs) are defined.

62443-1-2 Master Glossary of terms and abbreviations

Includes the definition of terms and acronyms used in the IEC 62443 standards.

62443-1-3 System Security Conformance Metrics

This document defines the high-priority system cybersecurity conformance metrics for an industrial automation and control system.

Policies & Procedures

62443-2-1 Establishing an IACS Security Program

Specified asset owner security program requirements for an IACS and provides guidance on how to develop and evolve the security program. The elements of an IACS security program described in this standard define required security capabilities that apply to the secure operation of an IACS and are mostly policy, procedure, practice, and personnel-related

62443-2-2 IACS Protection levels

Specified a framework and methodology for evaluation of the protection of an IACS based on the notion of (technical) security level and the maturity of the connected processes. The concept of protection level is a security rating of the combination of technical and organizational measures and defines an indicator of the comprehensiveness of the security program.

62443-2-3 Patch management in the IACS environment

Defines the patch management in the IACS environment. Specifically, it provides a defined format for the exchange of information about security patches from asset owners to product suppliers.

62443-2-4 Requirements for IACS service providers

Specifies requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an automation solution.

62443-2-5 Implementation guidance for IACS asset owners

Provide guidance to asset owners for the implementation of a Cyber Security Management System (CSMS) in an IACS.

System

62443-3-1 Security Technologies for IACS

Provides a current assessment of various cybersecurity tools, mitigation countermeasures, and technologies that may effectively apply to the modern electronically based IACSs.

62443-3-2 Security Risk Assessment and system design

Establishes requirements for risk assessments and partitions an IACS into zones and conduits. It also includes the requirements for detailed risk assessments of each zone and conduit, and for assigning Security Level targets (SL-Ts) on threat and risk.

62443-3-3 System security requirements and security levels

Provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs), including defining the requirements for control system capability security levels.

Components

62443-4-1 Secure product development lifecycle requirements

Specifies process requirements for the secure development of products used in industrial automation and control systems. It defines a secure development lifecycle for the purpose of developing and maintaining secure products.

62443-4-2 Technical security requirements for IACS components

Specified the cyber security technical requirements for components, such as embedded devices, network components, host components, and software applications.

Related Services

Design Review

Article image

Discover Secura's Design Review Service - proactively identifying security improvements in your IT designs to prevent data breaches and ensure alignment with best practices.

Threat Modeling Training

Article image

In the Threat Modeling Training, you will learn how to get a broad picture of potential risks using the STRIDE methodology. This works both for existing systems and new designs.

Vulnerability Assessment / Penetration Testing (VAPT)

Article image

Vulnerability assessment and penetration testing, or pentesting are ways to discover weak spots in the security of your website, application or infrastructure. Let Secura's cybersecurity experts help you.

ABOUT SECURA

Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.

Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.