Vulnerability and Risk Assessments

Security incidents, such as September 2005 Zotob worm shutdown of assembly lines at Daimler-Chrysler plants or the wireless attack on the Australian sewage treatment system, have made it clear that some security risk is faced by any industrial SCADA or control system, no matter what it does and where it is located.

At the same time it is clear that companies can’t afford the infinite cost of perfect security for their control systems. Sound business practice requires that companies balance off the cost of measures to mitigate a security risk with the potential cost of a security event occurring. To do so, one needs to develop an understanding of the variables defining the security risk for an industrial facility, namely the threats, vulnerabilities and consequences of a security event.

There are a significant number of different methodologies to choose from and the process is often referred to as a Security Vulnerability Assessment, Vulnerability Assessment Methodology (VAM) or Security Risk Assessment. Regardless of the name, nature or scope, we believe that any well designed assessment methodology will include the following three steps:

1. Determining the assets that need to be protected (people, processes,equipment, information, chemicals, etc.);
2. Determining the threats to those assets (theft, misuse, damage, system malfunction, etc.);
3. Determining the consequence of a compromise for each of the assets(loss of production, health/safety impact, environmental impact, etc.).

Byres Research will work with corporate management to select an appropriate methodology that matches well with your company’s size, culture and risk level. Generally we recommend an initial self-assessment audit based on the nationally recognized Control System Cyber Security Self-Assessment Tool (CS2SAT) developed by the Department of Homeland Security (DHS) Control Systems Security Program (CSSP).

Once this baseline audit is completed it can be followed up with ongoing audits using Byres Research's Meantime to Compromise (MTTC) Framework. This is an inexpensive technique that measures security on an ongoing basis, allowing continuous improvement techniques to be used. Both methodologies can be based on an internally driven audit process (where the bulk of the effort is carried out by company staff under the guidance of security experts at Byres Research) or as a fully external audit.



Byres Security Inc. and Byres Research
P.O. Box 178
Lantzville BC V0R 2H0

Phone: 250-390-1333
Fax: 250-390-3899
Email: info@byressecurity.com

Vulnerability and Risk Assessment

CRITICAL INFRASTRUCTURE SECURITY

• products
• services
• projects
• publications
• corporate
• news

• home
• members
• newsletter
• contact us
• related links

Forgot Password?

• home
• members
• tofino
• vulnerability and risk assessment
• security policy development
• security architechture & technology
• policy and regulatory compliance audits
• penetration testing and ethical hacking
• incident response planning
• onsite industrial cyber security training
• active projects
• completed projects
• clients & partners
• case history / incidents
• presentations
• technical papers
• technical articles
• other papers we like
• overview
• vision
• the team
• community
• careers
• press releases
• events
• awards
• newsletter archives
• contact info
• inquiry form
• government organisations and ISACs
• standard bodies and working groups
• research groups
• site map