Risk Analysis is the primary way to understand cyber security threats and control needs. This activity is usually performed with a focus on a specific installation, since in addition to the logical environment, the physical is also analyzed.
With the risk analysis at hand, it is possible to develop the Industrial Cyber Security Plan (PSCI), which recommends how and when protection actions should be adopted.
Risk analysis can be conducted in plants in operation (Brownfield) or in the design phase (Greenfield).
The risk analysis of automation networks follows the following steps:
Static Risk Analysis
At this stage of the risk analysis network diagrams are checked, inspected the operating environment (data center) and questionnaires of physical security audit and automation of network logic aligned with the best practices of ANSI / ISA-99 standards, ISA-IEC 62443 , NIST 800-82 and ISOs 27001 / 27002.
Visits to the customer's premises will enable our consultants to identify existing physical and logical security controls or countermeasures in networks, assessing, as far as possible, the conditions under which controls are installed and in use and suitability.
For the evaluation to be comprehensive, the categories of controls suggested by ANSI / ISA-99.02.01, ISA-IEC 62443 and NIST SP800-82 (management, operational and technical controls) standards for the automation network and ISO / IEC standards 27001 / 27002 (managerial, operational and technical controls) for physical inspection of customer datacenters.
The evaluation will be carried out by completing forms with a list of controls that make up the risk knowledge bases of the standards described above. These controls are grouped into the following risk categories:
Electronic Audit and Monitoring
Updates / patches
Backup, restore and recovery of systems
Electrical and electronic circuits
Voice and data network communications
Accounts and passwords
Physical and logical access control
Monitoring service performance
System and Application Parameters
Information Security Policy
Physical security controls
Training and awareness
Proper use of resources
Dynamic Risk Analysis
In this step, automated data collection of the automation network in TAP mode (non-intrusive) will be done at the application level.
At the beginning of the dynamic analysis the architecture of each client automation network will be analyzed and a planning will be elaborated to grant visibility of Internet traffic and threats, as well as other perimeters such as borders with corporate networks, control systems (for the network of automation), datacenter and process network, as well as links to third parties and external VPN connections or regulatory entities.
Data collection in automation environments follows the concept of traffic mirroring without generating impacts or changing the topology. For traffic mirroring, only one interface in TAP mode is connected to the real traffic (Port Mirror / SPAN Port) in order to analyze it, without causing any impact to the environment.
Defining mirroring points is the key to successful testing. The more segments are mirrored, a better traffic sample for visibility of applications and threats will be collected, allowing you to identify your risks.
The mirroring points required for the data collection configuration and the time for collecting this data will be defined in the project start-up meeting, as well as the network addressing required for the configuration of the equipment that will capture the packets. It will be up to the client to provide the equipment and resources for the configuration of the TAP points as defined at the beginning of this phase.
Generation of the Risk Analysis Report
The data collected by the static analysis will be processed according to qualitative criteria, with qualitative probability and impact scales. For each threat / vulnerability set will be assigned, from information collected in interviews with the local team, a probability of occurrence and an impact (depending on the consequences).
Complementarily, the data coming from the dynamic analysis will carry out the verification and generate evidence of the information coming from the static analysis of risks.
The result of the union of static and dynamic analysis information will be consolidated in the Risk Analysis Report to be delivered to the client. The report will be delivered in Portuguese.