Calculating cybersecurity risk may look straightforward on paper. The typical IT risk formula states risk as a function of likelihood and impact. But as any CISO or SOC analyst will tell you, gathering the data needed to accurately estimate those values is anything but straightforward. For starters, few organizations have a complete, accurate asset inventory, which means they likely have unknown risks. Moreover, with two components of likelihood ever increasing — vulnerabilities and threats — it’s hard to know if you’re focusing where you should be and implementing the right controls.
Now try to assess cybersecurity risk related to high-availability industrial environments such as critical infrastructure, which rely heavily on operational technology (OT) and Internet of Things (IoT) assets to control physical processes. Start by throwing out the IT risk formula. It’s OK for low-impact, high-frequency events primarily related to data integrity, but OT cybersecurity focuses on high-consequence/low frequency events. Instead, you need a multi-factor approach to risk that considers key aspects of these complex environments.
This article will explore the major differences between IT and OT risk management and explain how the Nozomi Networks platform enables you to customize how asset risk is calculated in your environment so you can understand where to allocate resources and communicate their impact.
IT Risk Assessment vs. OT Risk Assessment
The differences between how risk is assessed in IT vs. OT environments reflect the differences in the environments themselves. Here are six that stand out.
1. Cyber and Operational Risk
Perhaps the biggest difference is that in OT we must account for both cyber and operational risk, including process risk, because operational anomalies unrelated to a cyber threat are far more common. On the IT side, if a company’s mail server goes down, there’s minimal impact to the business. Some employees may even relish the break. But if a critical server goes down in an operational environment, you may have massive risk. Colonial Pipeline is a great example. When the DarkSide hackers ransomed data from theirIT network, the attack brought down the billing and accounting systems, which was certainly going to create a costly mess. But the reason the company shutdown the pipeline was they lost access to a safety monitoring tool and couldn’t see whether the pipeline itself had been breached — a massive risk they obviously couldn’t tolerate.
Every component in an OT network is part of a larger process in a very distributed environment. Everything is connected and consequential.
2. Consequence-Based
In OT, risk assessment focused on consequences such as physical safety, environmental harm and continuity of operations — all of which can have enormous financial consequences. Whether you’re assessing risk in a postal processing facility, a meat packaging plant, a cargo ship or a warehouse, with OT you’re always planning for your worst day. What catastrophic thing could happen that could impact thousands of people?
3. Interconnected Risk
Every component in an OT network is part of a larger process in a very distributed environment. Everything is connected and consequential. In a data center you could probably reboot every other server with no impact. In OT, if a machine has a problem, immediately you need to learn what it depends on and what is depending on it. From there, what are the consequences of an emergency shutdown? In an oil refinery, if someone hits that emergency shutdown button, you’re looking at millions of dollars gone in an instant and a few months to get that site back online.
4. Vulnerabilities-Only vs. Multi-Dimensional
In IT, device risk is based solely on vulnerabilities, and you can practically eliminate risk with patching. In OT, it’s multilayered, and patching must often be delayed until the next maintenance window — assuming patches exist at all. Because patching isn’t a silver bullet for managing OT risk, other factors must also be weighed.
5. Score vs. Trend
Especially at the plant and director level, OT stakeholders have little use for numerical risk scores. Our customers often tell us, “I don’t need a number; I just need to show my boss a graph with aline going down that indicates our risk is decreasing over time, which means our cyber program is working.” There''s no Richter scale for OT risk such that a 5.1 means the same thing from region to region or even plant to plant.
6. Higher Risk Tolerance
Because industrial downtime is to be avoided, outside of safety issues industrial stakeholders have a much higher tolerance for risk. Suppose a device is exposed to Telnet, but at Purdue Level 2 it has firewalls above and below it, and nothing can talk on that port. That’s a common scenario due to the nature of OT systems. The asset owner may choose to mute an alert that’s firing because the device is exposed to Telnet (or at least dial down the vulnerability risk in the alert rule), whereas an IT analyst would see the alert and want to patch the device immediately, which you can’t and don’t need to do.
CalculatingOT Risk
Any risk assessment starts by conducting a business impact analysis to identify your crown jewels and prioritize their protection. In industrial environments, it’s more complex because you’re not just looking at asset risk; you must also identify your most critical processes and how to protect them. A conveyor belt inside the plant that takes iron ore to the furnace is riskier than a conveyor belt that takes mail from the main building to the warehouse. They may use the same technology and the same protocols, but the risk levels are far apart.
Several vendors provide calculated risk scores to help you understand asset risk. They may look impressive in a POC, but how well do they help you monitor and reduce risk day-to-day? If they don’t reflect how your organization calculates risk, you’ll probably just disregard them.
The Nozomi Networks platform assigns risk scores to each of your assets to help you prioritize security efforts, address the most critical risks first and take the correct actions to mitigate potential threats effectively. It calculates asset risk based on five factors: vulnerability risk, alert risk, communication risk, device risk, asset criticality and compensating controls. You can use our scores out of the box — or you can fully customize the weight of each variable until the calculation accurately reflects how your organization assigns risk, so it’s useful.
Even with all of this context, individual asset risk scores provide little value. For proper risk management, you need to understand changes in risk scores over time.
See the Impact of Your Security Controls on Risk Over Time
When looking at your OT asset risk, you need to be able to see at a glance what assets are riskiest by zone, site, vendor and any other way you might want to categorize them. And you need to be able to drill down to understand what makes them risky and what you can do about it. It's also important to see how individual risk scores contribute to the higher-level risk score of the site or zone the asset belongs to, and ultimately, the risk score of the entire company. Even with all of this context, individual asset risk scores provide little value. For proper risk management, you need to understand changes in risk scores over time.
The Nozomi Networks risk dashboard shows your current risk scores by zone, site and other categories you select. If you’re risk is trending in the wrong direction, you can drill down to see why and where you need to add the right controls. Maybe you need to lock down your insecure protocols or beef up your segmentation. Whatever you decide to do, your risk score will reflect the degree of impact your actions have made, using your own risk assumptions. If your risk score started at 70 globally and went down to 52, you now have hard ROI to justify your investment.
Quantify Your OT Risk to Secure Cybersecurity Funding
Given the many unknowns and educated guesstimates involved in trying to calculate OT cyber risk, one might conclude it’s not worth the effort. It is. Applying a standard (but customizable) formula to help assess and prioritize at every level enables you to translate cyber risk into business risk terms that executives, board members and other risk owners understand. You may still have to haggle over what constitutes an acceptable level of risk, but your appeals for adequate budget to advance your organization’s cyber maturity are much more likely to be heard.
