Flavijus Piliponis â stock.ado
Traditional IT vs. critical infrastructure cyber-risk assessments
When it comes to critical infrastructure cybersecurity, the stakes are uniquely high. Assessing associated cyber-risk, in turn, is uniquely challenging.
Not all cybersecurity risks are created equal, and because threats are constantly evolving, it's crucial to regularly perform and update risk assessments. That's especially true for critical infrastructure, where cyber attacks can have life-threatening consequences. But are critical infrastructure cyber-risk assessments different than traditional IT cyber-risk assessments? The answer is importantly yes.
To understand how the assessments differ, it's important to first establish how the risks differ:
- Traditional IT cyber-risk. The likelihood a threat actor gains control of an organization's sensitive information and the potential financial consequences.
- Critical infrastructure cyber-risk. The likelihood a threat actor gains control of society's most vital systems and assets and the potential physical consequences.
The degree of danger associated with critical infrastructure cyber-risk is significantly higher than with traditional IT cyber-risk. For example, if someone were to steal your identity and open a credit card in your name, it would certainly disrupt your personal life, but you are unlikely to be held accountable for the fraudulent charges. In contrast, if bad actors were to shut down the electric grid, poison the local water system or compromise a reservoir dam, your family could be in life-threatening danger. Sufficiently widespread critical infrastructure attacks could also have grave national security implications.
Although it's important to highlight the differences between critical infrastructure and traditional IT cyber-risk, it's also worth noting that real-world incidents are not always so easy to parse. For example, nation-states sometimes are motivated to steal money rather than to wreak havoc; North Korea and Iran come to mind. And, although ransomware is a favorite among criminals looking to extort private companies, a ransomware attack can also have national security implications -- think of the recent Colonial Pipeline shutdown. In another example, a criminal might wage a ransomware attack on a hospital to extort money, but if the ransomware attack affects the delivery of patient care, people could suffer and die.
Critical infrastructure cyber-risk assessments vs. traditional IT cyber-risk assessments
IT use is widespread in industrial settings. Critical infrastructure cyber-risk assessments must, therefore, include all the information risk elements that an IT cyber-risk assessment would. They must also address many additional -- and, frankly, more frightening -- physical risk elements.
Traditional IT cyber-risk assessments and critical infrastructure cyber-risk assessments must both consider the following risk-scenario consequences:
- income loss
- reputation loss
- stock price loss
- IT incident response costs
- IT incident recovery costs
- customer impact -- e.g., in the case of fraud
Critical infrastructure cyber-risk assessments must weigh the following, additional risk-scenario consequences:
- employee injuries, illness and fatalities;
- community injuries, illness and fatalities;
- fires and explosions;
- damage to equipment;
- damage to property and infrastructure in the surrounding community;
- damage to flora and wildlife;
- release of toxins that threaten air, land and water quality;
- environmental response and recovery costs;
- supply chain effects; and
- national security effects.
Risk assessor expertise
The double scope of critical infrastructure cyber-risk assessments makes them much more complex and challenging than traditional IT cyber-risk assessments, largely because assessing physical risk requires additional knowledge, skill sets and methodologies.
Traditional IT cyber-risk assessors and critical infrastructure cyber-risk assessors need expertise in the following areas:
- IT security
Critical infrastructure cyber-risk assessors must also have expertise in the following subjects:
- operational and field technologies
- industrial cybersecurity
- operations supervisory management
- industrial engineering
- process safety management
- health and safety management
- environmental risk and compliance
- environmental remediation
- industrial regulatory compliance
- physical security
Risk assessment methodologies
The two types of risk assessments also use different methodologies. Traditional IT risk assessments rely on frameworks such as the following:
- Factor Analysis of Information Risk
- ISO 31000 and ISO/IEC 27005
- NIST Special Publication 800-30
- Operationally Critical Threat, Asset and Vulnerability Evaluation Allegro
In contrast, critical infrastructure risk assessment methodologies include the following:
- IEC 62443 and 61511
- process hazard analysis (PHA)/hazard and operability studies
- cyber PHA
Risk assessment environments
The environments these assessments respectively cover also differ. Traditional IT risk assessments account for the following:
- cloud services and applications
- corporate networks
- on-premises services and apps
- remote access
- information and data
- accounts, access and privileges
Critical infrastructure cyber-risk assessments also cover these environments:
- operations field zones
- operations safety zones
- operations control zones
- operations demilitarized/historian zones
- operations remote access zones
- operations information and data
- operations accounts, access and privileges
Recommendations for critical infrastructure cyber-risk assessments
The most important takeaway is that critical infrastructure cyber-risk assessments are more complex than traditional IT risk assessments because they encompass both traditional IT risks and physical risks.
Consider the following recommendations when undertaking a critical infrastructure cyber-risk assessment:
- Get the right third-party help. Internal staff likely lacks the necessary integrated expertise to design and conduct a comprehensive critical infrastructure cyber-risk assessment. Engage with an outside organization, whether public or private, that has deep experience in critical infrastructure risk assessment and protection readiness.
- Get the right people involved internally. While IT staff own digital technology threats, the people who understand cyber threats' potential physical implications come from elsewhere in the organization. Work with internal experts from operations, process engineering, technical engineering, environmental health and safety, and process safety.
- Get the right message to the executive team. Executives often see cyber-risk as a technical problem for IT to solve. Help them to understand that, when it comes to modern cyber threats, much more is at stake. IT cannot solve the problem of critical infrastructure risk alone -- it will take the entire organization, from the factory floor to the boardroom.