Cyber Risk Management

©2015 Honeywell International Inc. All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk Identifying Cyber Risks and Addressing the Cyber Security Gap

Lifecycle Solutions & Services


The Four-Step Guide to Understanding Cyber Risk

TABLE OF CONTENTS

3



A poll of 1,642 experts by the Pew Research Centre shows 61% predict a major cyber attack will cause “widespread harm to a nation’s security and capacity to defend itself and its people” in the next ten years.

“By ‘widespread’ harm we mean significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars,” Pew clarified.

L I N K

A successful attack is among the major risks worrying the U.S. government. As Michael Rogers, commander of U.S. Cyber Command testified to the US House of Representatives Intelligence Committee:

“ We have seen instances where we are observing intrusions into industrial control systems. What concerns us is that access...can be used by nation states, groups or individuals to take down [their] capability,” he said. ICSs are a growth area of vulnerability, he added. “It’s among the things that concern me the most.”

It is estimated that cyber risks costs the global economy up to $400 billion a year—maybe even more. For industrial control systems (ICSs) however, the risks are even more acute.

Introduction: A Real Danger

4



The warning signs are already there. Rogers’ comments came just weeks after a Department of Homeland Security alert said malware named BlackEnergy had infiltrated companies running much of the country’s infrastructure. Less than a month later, a German government report

revealed “massive damage” from an infected email targeting a steel mill in the country.

Like Stuxnet, Havex and BlackEnergy, the German attack was targeted specifically at industrial control systems.

In the Firing Line

5



• Attackers’ growing sophistication. The German attackers had “advanced know-how not only of conventional IT security, but also detailed technical knowledge of the industrial control systems and production processes used in the plant,” the government report noted.

• The industrialization of cyber crime, with skilled attackers selling “crime as a service” to others without technical skills.

• Growing vulnerabilities as up to 25 billion web-connected systems and devices in the “Internet of things” come online by 2020. Publicly available tools like Shodan let would-be attackers easily identify ICSs. In 2013, for instance, Finnish researchers used the search engine to find nearly 3,000 unsecured Internet-facing SCADA systems running the country’s water supply, building automation and other systems. Project SHINE (SHODAN Information Extraction), a multi-year research project aimed at identifying industrial control devices that were directly connected to the Internet, found millions of such devices.

Against this, cyber risk management in industrial control systems is falling behind.

• Tools and methods used by IT cyber security professionals for managing network risks are not fully adopted in ICS engineering and operations teams.

• Worse, those with legacy systems may ignore best practices, avoiding patches and virus protection updates, for fear they’ll jeopardize plant stability.

The result is a growing gap between the capabilities of attackers and the defenses pitched against them.

The Cyber Arms Race The Threat is Driven by a Number of Factors

6



What is Risk? ISO: The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.

NIST: A function of the likelihood of a given threat—source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

Fortunately, organizations such as the International Standards Organization (ISO) and National Institute of Standards and Technology (NIST) have developed definitions that are widely accepted and used.

In both cases, risk is seen as a function of the vulnerability of an asset, the threat, which is the likelihood an attack will occur, and the consequence of such an attack being successful.

(cont. next page)

Assessing the Risk To Understand the Risk, We Need a Definition.

7



Assessing the Risk (cont.)

To Put it Another Way: Risk = Vulnerability 3 Threat 3 Consequence Through a function of vulnerability, threat and consequence, we are able to quantify risk. By assigning a value (whether between 0 and 1, 0-100 or any other consistent scale) to each element, users derive a metric that provides a consistent measure of risk and can be used throughout the organization.

The ultimate aim, of course, is to manage the risk, and this will be considered in a forthcoming e-book. However, you cannot manage what you cannot measure.

This e-book therefore focuses on evaluating the risk, and requires a thorough understanding of all the components in the equation above. It is, then, a four-stage process, looking at each element—threats, vulnerabilities and consequences—in turn before bringing them all together.

8



• First, VA tools can probe aggressively to test for vulnerabilities across enterprises, which may be unsuitable, and unsafe, applied to network activity in an ICS.

• Second, vulnerabilities are frequently the result not of a particular device or software suite but poor practices or configurations—weak passwords, group accounts with administrative privileges, failures to implement anti-virus programs and host firewalls, and so on. All of these can be exploited by attackers to leverage systems for unintended purposes.

• Finally, vulnerabilities must be looked at across operations and processes. Control systems are not just a collection of individual devices, but interconnected systems of devices. Poor access controls on an application running in a control room, for example, can make the whole process vulnerable, not just a single workstation.

A vulnerability is any quality of an asset that could allow it to be exploited. All digital assets have them. Some are known; some aren’t. Some are easier to exploit than others.

Step 1: Knowing Your VulnerabilitiesA common source of vulnerabilities is software bugs; 2014’s Heartbleed vulnerability affecting half a million websites, as well as thousands of connected devices, is just among the most high profile examples.

There are numerous vulnerability assessment (VA) tools to track known vulnerabilities within applications and operating systems, but these have their limits.

9



Threats may be coincidental or accidental, simple or complex, and the result of a wide range of motives. What they have in common is that they have “the potential to harm assets...e.g. unauthorized actions, physical damage, technical failures,” as ISO27005:2011 puts it.

They also exploit vulnerabilities, and when specific vulnerabilities are known, it is possible to predict some of the early signs of threats against these. Each stage of a cyber attack typically consists of several steps, and by scanning for these, attacks may be detected before an incident occurs.

(cont. next page)

It is threats that turn a vulnerability into an incident.

Step 2: Identifying Threats

10



Both vulnerabilities and threats evolve over time. This is most obvious with threats, with more than 200,000 new variants of malware (such as viruses, trojans or worms) identified every day. But it’s true of vulnerabilities, too.

First, new devices and applications bring with them new vulnerabilities.

Second, vulnerabilities are discovered in areas previously believed to be secure: Again, Heartbleed—code that was meant to increase security— showed that the security industry’s strongest assumptions can be overthrown overnight. It is impossible to take anything for granted when it comes to cyber security.

Since new vulnerabilities and threats emerge and are detected all the time, both must be continuously reviewed.

(cont. next page)

Moving targets: the importance of regular review.

Step 2: Identifying Threats (cont.)

11



When threats align with vulnerabilities, the risk of a cyber incident increases significantly. Take the example of the virus detected and quarantined by anti-virus software on a control room server, again. The threat (virus) finds no vulnerability because the anti-virus software worked. But the episode still shows malware is able to access the server, which should be in a protected network.

This raises questions of exposure: If known malware has been found, could unknown (“zero day”) malware also be present? How was the malware introduced? Could the detected malware have also been introduced to other systems? The threat, although unsuccessful, still indicates the potential for infection and therefore contributes to the overall level of risk.

The relationship between threats and vulnerabilities is complex, but with the right tools can be both understood and managed.

Understanding the relationship between threats and vulnerabilities.

Step 2: Identifying Threats (cont.)

12



By identifying assets and the impact of a potential attack on them, you can determine the degree to which you should worry. A vulnerability that could take a printer offline, for example, is likely to be less of a concern than a successful attack on a safety system.

Measuring consequences is not straightforward. In many cases, they may correlate closely to costs, typically through lost production. However, consequences could be far wider, encompassing risks to personal safety, environmental damage, reputational impacts, legal liabilities or even, as we’ve seen, national security concerns.

Furthermore, interrelationships in the plant must again be recognized: the consequence of an incident can’t be measured solely by the impact on the specific, compromised device. A cyber attack may cause a device or server to fail, but what if it obtains control of the device or server and uses it to cause far wider damage?

The potential for impacts to spiral from the immediate effect of an initial breach is a vital part of any assessment of consequences.

Consequences put these threats and vulnerabilities into perspective.

Step 3: Measuring Consequences—The Final Piece

13



• It will know the vulnerabilities to look out for

• It will have put in place elements of threat detection, such as firewalls on the network and connected hosts and virus protection

• And it will have identified its most important assets and the potential consequences of an attack on them.

A solution now available to assist with ongoing situational awareness is Honeywell’s Industrial Cyber Security Risk Manager.

Risk Manager—the first solution to proactively monitor, measure and manage industrial cyber security risk, providing users of all levels with real time visibility, understanding and decision support required for action. With Risk Manager there is no need to be a cyber security expert. The easy-to-use interface allows users to prioritize and focus efforts on managing risks that matter most for reliable plant operations.

Understanding and addressing the preceding elements gives a plant what it needs to begin to make a realistic assessment of its risks.

Step 4: Bringing it Together–Measuring Risk

14



May 2015

For industrial organizations, identifying risks is the first stage of the journey to a more secure system in the face of increasing attacks. We’ll consider the second stage in our forthcoming e-book on managing the risks.

More about Cyber Security For More Information Meanwhile, for more information about Cyber Security, here are some more resources to help you:

• The Essential Guide to Cyber Security: Download this to learn about the essentials of Industrial Cyber Security and how to approach it.

• Honeywell Whitepapers: Honeywell experts have published various whitepapers on various elements of Industrial Cyber Security. View the complete list .

• Case Studies: Read and learn from our to know the steps other industrial customers are taking to tackle cyber attacks.

• Visit

Documents

Cyber Risk Management