Risk Assessment and Gap Analysis for Industrial Control System infrastructure: the core essentials  

Conducting a risk assessment and gap analysis exercise for Industrial Control System environments is important from cybersecurity, business continuity, and risk mitigation perspectives. It is important to bring the risk exposure down to acceptable levels and minimize the risk tolerance with every assessment cycle so that the overall risk sensitivity of the enterprise improves measurably.   Where to start your Risk Assessment & Gap Analysis journey? What is the best time to start an assessment? As a matter of practice, there shouldn’t be a gap of more than 300 days between every OT/ICS & IoT risk assessment and gap analysis cycle.  If 300 days have passed since you conducted your last ICS risk assessment cycle, then an assessment is due right now. A gap of 300 days gives your security team enough time to address the gaps identified in the last round and gives you sufficient time to plan the next assessment with your OT/ICS & IoT risk assessment and gap analysis vendor.   Such a time frame also overlaps between multiple procurement cycles so that the maximum number of new assets are considered and are covered in an assessment.   Planning an assessment is not just about bringing the plant and other stakeholders on board to derive a schedule. Instead, an OT/ICS & IoT risk assessment and gap analysis planning exercise should ideally have the following: Planning an OT/ICS and IoT Risk Assessment and Gap Analysis An example from our experience of conducting OT/ICS and IoT Risk Assessment and Gap Analysis In one of the OT/ICS risk assessment and gap analysis projects that Sectrio did recently, we covered an asset base that was spread across over 994 miles (1600 km). In this project, the planning phase itself stretched over 38 days as we had to also study the report submitted by another vendor during a previous assessment. Further, our pre-assessment teams also visited multiple sites to get a first-hand view of the infrastructure along with site-specific challenges/considerations.   Other considerations while planning a Risk Assessment and Gap Analysis:  Focus areas for the pre-assessment phase    The initial/ pre-assessment steps should ideally set the stage for a more comprehensive and relevant assessment exercise. However, the initial assessment should be seen not merely as an enabler for the next assessment. The initial assessment has legs of its own to stand on and if done right, the gaps identified in this assessment can be addressed as action items on their own.   The following should be the focus areas for the pre-assessment phase:  Simplifying the approach to OT/ICS and IoT Risk Assessment & Gap Analysis Considerations for an On-site Risk Assessment and Gap Analysis Things to watch out for A less than diligent and studied assessment effort can tick a checklist line item but can never lead to any substantial change in the security posture of any organization.   Sectrio has engaged many enterprises where someone else had conducted the assessment but the findings were of no use to the teams or to the business. So how do you protect your business from unhelpful assessments? Here’s how:  When done well, an OT/ICS & IoT Risk Assessment and Gap Analysis Exercise can turn into a helpful ally to improve your security posture.   Sectrio can help you with an OT/ICS and IoT Risk Assessment and Gap Analysis Sectrio has extensive experience in securing enterprises across the globe using proprietary Risk Assessment and Gap analysis methodologies aligned with IEC 62443 and NIST CSF. Our assessments are decision-oriented and provide a complete picture of your security level along with clear measures to improve security levels and address any compliance mandate or security concern.   Talk to us today for more.  Contact us | Request for a quotation

The post Risk Assessment and Gap Analysis for Industrial Control System infrastructure: the core essentials   appeared first on Security Boulevard.