Risk assessments are a fundamental part of maintaining security protocols. Unlike formal security audits, there isn’t a fixed frequency for how often risk assessments need to be conducted.
So, how are security operators to know when they should conduct another in-depth evaluation of their industrial control system (ICS)?
While it may be tempting to put off a risk assessment when there’s so much other work to be done, protection must be proactive. This is especially true when it comes to securing your environment and keeping operations running smoothly.
If you catch yourself thinking any of these things below, it’s a sign that it’s time to conduct a proactive risk assessment!
Sign #1: Did We Add a New Machine to the Asset Inventory?
Maintaining a complete device inventory means it should include all of your industrial system’s OT, IT, and IoT assets. An asset inventory is a comprehensive and up-to-date list of all process controllers, controller model & serial numbers, firmware versions, associated network information and addresses, along with any other related connections and components.
If your list is anything but exhaustive, you probably want to conduct a new ICS risk assessment as soon as possible. Ideally, managing your assets is a continuous process – any additions and changes should be logged whenever they’re made.
Keeping an updated inventory makes it easy for the operations and security team to thoroughly and quickly understand the devices and software at any given time.
🔥 Hot tip / Shameless plug → View a snapshot of the devices and protocols contained within a packet capture using the early-access version of our Free OT PCAP Analyzer.
Sign #2: I Didn’t Know You Had Access to That…
If it isn’t clear who has administrative access or security clearance (or that information isn’t documented), that means it’s time to conduct a risk assessment. Knowing what’s going on with access control can help mitigate risk and avert cybersecurity incidents caused by human error.
Strong and consistent security clearance practices are also a good way to create defense-in-depth by adding another layer of complexity to accessing critical systems.
A thorough risk assessment can be the first step in understanding your current access distributions and identifying opportunities for stronger security measures.
Sign #3: Finally, an Upgrade!
New equipment or upgrades to hardware, firmware, or software are good justifications for an updated risk assessment. Even seemingly small security patches can be a good time to conduct an assessment.
Any changes to your industrial environment, no matter how small they seem, can impact connected systems and devices. A new ICS risk assessment can help evaluate whether there need to be any changes to your current security protocols and responses.
Sign #4: When Was the Last Time We Did an Update?
If you don’t have a way to tell what software version is running on a machine, when it was patched (if it even can be patched), or when the hardware was purchased, it’s time to bump that risk assessment higher on the to-do list.
ICS risk assessments are great for identifying potential vulnerabilities and oversights, along with keeping a running inventory of any previously identified risks throughout your environment.
Conducting regular assessments also makes it easier to identify areas for improvement and stop any potential issues before they have an impact on operations.
Sign #5: The Last Full Security Assessment was with an Audit
Security audits are meant to assess environments to ensure they meet the bare minimum of compliance requirements. ☑️ Since audits are usually pass-fail, results typically don’t go into any deeper details that facility managers, operators, or administrators can use.
On the other hand, risk assessments usually go into much more detail. They’re meant to document the current state of your security and its performance. They identify potential risks and issues (hence the name) but also document what is working.
SynSaber: Simplifying Visibility for your ICS Risk Assessment
SynSaber is committed to helping amplify operators’ visibility into their industrial systems with our ultra-small footprint, software-based sensors.
SynSaber sensors, called “Sabers,” can deploy on darn near anything:
- compute modules
- installed directly on existing hardware
- even virtual!
Our software was tailor-made for industrial environments, with the goal of providing security more affordably and democratically to protect critical infrastructure.
Interested in learning more about SynSaber’s vendor-agnostic solution that decouples data collection and analysis from event management, and is capable of sending data to any detection platforms, SIEMs, and data lakes?