Part of:Managing cybersecurity threats to critical infrastructure
Traditional IT vs. critical infrastructure cyber-risk assessments
When it comes to critical infrastructure cybersecurity, the stakes are uniquely high. Assessing associated cyber-risk, in turn, is uniquely challenging.
Not all cybersecurity risks are created equal, and because threats are constantly evolving, it's crucial to regularly perform and update risk assessments. That's especially true for critical infrastructure, where cyber attacks can have life-threatening consequences. But are critical infrastructure cyber-risk assessments different than traditional IT cyber-risk assessments? The answer is importantly yes.
To understand how the assessments differ, it's important to first establish how the risks differ:
Traditional IT cyber-risk. The likelihood a threat actor gains control of an organization's sensitive information and the potential financial consequences.
The degree of danger associated with critical infrastructure cyber-risk is significantly higher than with traditional IT cyber-risk. For example, if someone were to steal your identity and open a credit card in your name, it would certainly disrupt your personal life, but you are unlikely to be held accountable for the fraudulent charges. In contrast, if bad actors were to shut down the electric grid, poison the local water system or compromise a reservoir dam, your family could be in life-threatening danger. Sufficiently widespread critical infrastructure attacks could also have grave national security implications.
While traditional IT cyber-risk primarily involves financial consequences, critical infrastructure cyber-risk must consider the possibility of physical harm.
Although it's important to highlight the differences between critical infrastructure and traditional IT cyber-risk, it's also worth noting that real-world incidents are not always so easy to parse. For example, nation-states sometimes are motivated to steal money rather than to wreak havoc; North Korea and Iran come to mind. And, although ransomware is a favorite among criminals looking to extort private companies, a ransomware attack can also have national security implications -- think of the recent Colonial Pipeline shutdown. In another example, a criminal might wage a ransomware attack on a hospital to extort money, but if the ransomware attack affects the delivery of patient care, people could suffer and die.
Critical infrastructure cyber-risk assessments vs. traditional IT cyber-risk assessments
IT use is widespread in industrial settings. Critical infrastructure cyber-risk assessments must, therefore, include all the information risk elements that an IT cyber-risk assessment would. They must also address many additional -- and, frankly, more frightening -- physical risk elements.
Traditional IT cyber-risk assessments and critical infrastructure cyber-risk assessments must both consider the following risk-scenario consequences:
The double scope of critical infrastructure cyber-risk assessments makes them much more complex and challenging than traditional IT cyber-risk assessments, largely because assessing physical risk requires additional knowledge, skill sets and methodologies.
Critical infrastructure risk assessments are more complex than traditional IT risk assessments because they encompass both traditional IT risks and physical risks.
Traditional IT cyber-risk assessors and critical infrastructure cyber-risk assessors need expertise in the following areas:
IT
IT security
finance
legal
PR
Critical infrastructure cyber-risk assessors must also have expertise in the following subjects:
operational and field technologies
industrial cybersecurity
operations supervisory management
industrial engineering
process safety management
health and safety management
environmental risk and compliance
environmental remediation
industrial regulatory compliance
physical security
Risk assessment methodologies
The two types of risk assessments also use different methodologies. Traditional IT risk assessments rely on frameworks such as the following:
The environments these assessments respectively cover also differ. Traditional IT risk assessments account for the following:
internet
cloud services and applications
corporate networks
on-premises services and apps
remote access
information and data
accounts, access and privileges
Critical infrastructure cyber-risk assessments also cover these environments:
operations field zones
operations safety zones
operations control zones
operations demilitarized/historian zones
operations remote access zones
operations information and data
operations accounts, access and privileges
Recommendations for critical infrastructure cyber-risk assessments
The most important takeaway is that critical infrastructure cyber-risk assessments are more complex than traditional IT risk assessments because they encompass both traditional IT risks and physical risks.
Consider the following recommendations when undertaking a critical infrastructure cyber-risk assessment:
Get the right third-party help. Internal staff likely lacks the necessary integrated expertise to design and conduct a comprehensive critical infrastructure cyber-risk assessment. Engage with an outside organization, whether public or private, that has deep experience in critical infrastructure risk assessment and protection readiness.
Get the right people involved internally. While IT staff own digital technology threats, the people who understand cyber threats' potential physical implications come from elsewhere in the organization. Work with internal experts from operations, process engineering, technical engineering, environmental health and safety, and process safety.
Get the right message to the executive team. Executives often see cyber-risk as a technical problem for IT to solve. Help them to understand that, when it comes to modern cyber threats, much more is at stake. IT cannot solve the problem of critical infrastructure risk alone -- it will take the entire organization, from the factory floor to the boardroom.
