Industrial Control Systems or Operational Technology cybersecurity risk calculations are typically based on threat, vulnerability, and consequence in an equation similar to the one below:
risk = threat x vulnerability x consequence
If we assign numbers, like 1 to 5, and define each number in the range for each variable, we can probably solve the problem. For instance, if we assign the threat range from 1 to 5, similar to the risk frequency in SIL Determination where 1 is improbable and 5 is almost certain within the life of the plant, how do I establish the frequency for the chosen range? Frequency for the threat variable must be based on the likelihood of something? Are we trying to predict the likelihood of a malware attack, an accidental loss of control to a virus, a PLC failure, or a nation state attack and what are my reference statistics to justify the position we take on this calculation.
Vulnerabilities have a similar mathematical problem. Leaving a port open on a firewall might be catastrophic in some cases and irrelevant in others because of the industrial system design and configuration. The difference between the cybersecurity risk equation and process safety is that the threat and cybersecurity vulnerabilities change constantly and are extremely hard to predict. I assume much of the hesitation in industrial cybersecurity are tied to uncertainties like these. We have trouble really trusting the assumptions enough to go into the president’s office and ask for money to remediate something when we are not certain if the actual risk is greater than the tolerable risk.
If we don’t know the threat and vulnerabilities, and it is likely to always be unknowable because its very hard to predict human behavior or nation state attacks, can we make assumptions and still solve the problem? If we assume that there will always be a (new) threat and a (new) vulnerability, can we assume they are a constant? If we assign threat and vulnerability an assumed value like 1, we can leave them out of the equation entirely or should we give them a higher value and leave them in the equation? Regardless of leaving them in our negating them as 1, risk is now proportional to consequence. Is it really that easy?
Consequence can be determined using a study like the process industry uses called a Hazard and Operability Study (HAZOP). HAZOP determines the if a hazard has a significant consequence. A Layer of Protection Analysis (LOPA) then determines the level of risk reduction required to reduce the likelihood of the consequence from occurring. Basically, this effort identifies and ranks the risks to operating a process. While these studies are required for Process Safety Managed (PSM) industries, every industry can and should do these types of studies whether they are reliability-based, failure mode and effect analysis, or simply financial. Understanding the company’s tolerable risk and actual risk should be part of every industry, even if you are only calculating availability for a Service Level Agreement (SLA). If your consequence is as basic as not being able to deliver your product, then it might be catastrophic to your company or your clients.
In conclusion, we should consider a using established methods to calculate consequences (risks) so we know exactly where to invest in design improvements and cybersecurity.