Cybersecurity is a hot topic in the industrial control system (ICS) world. What does cybersecurity mean to your organization and how do you implement proper cybersecurity? Determining how or what control an organization implements should be based on how you choose to handle risk. Risk within an organization can either be accepted (do nothing), mitigated (implement a control) or transferred (get insurance). To most efficiently implement the proper controls, a risk assessment must first be completed.
Completing a risk assessment within your organization might seem overly complicated, but it can be done in just a few simple steps. Depending on the scope of the risk assessment, you might assess one or several individual pieces of technology, a business process, a department, or even the entire organization. This is what is referred to as an asset.
Next, find the value of the asset to the organization. This can be done by adding a dollar value to the asset (what it cost to purchase or how much it makes for you) or a qualitative value (what the asset means to the organization).
现在你可以完成understa风险评估nd what risks threaten the asset. Threats can be internal, external, manmade, natural, intentional or inadvertent toward your assets. Since not all threats are equal, a determination must be made to understand threat level. This is done by determining the impact of the threat and the likelihood of the threat occurring. When documenting these determinations, remember to consider threats to your assets with no controls put in place—for instance, in your locked server room with biometric access controls. This will let you know what risk the asset adds to the organization inherently.
The final step is to determine what controls you have put into place to protect your asset. Have you put that asset in a locked server room with biometric access control? Based on the controls that have been put in place, you can see a reduction in the risk an asset poses to the organization. After this process has been completed for all identified assets, you can determine what asset poses the most risk and focus your efforts on that area.
请记住,不可能消除所有风险。但是,了解您的组织的风险容忍度将有助于您确定您是否要接受,缓解或转移任何剩余风险。您不想在已经满足组织风险宽容的资产上花费额外的资金。
Risk assessments and management can seem like a daunting task for any organization, but they are essential for any organization that wants a mature and efficient cybersecurity program. Interstates has helped a multitude of ICS users better understand cybersecurity within their organizations and help them move forward in a more secure and strategic manner.
Brandon Bohle是MIT分析师IIIInterstates Control Systems Inc.,一个认证的成员控制系统集成商协会(CSIA)。有关州际控制系统的更多信息,请访问其配置文件工业自动化交流.
