Industrial Internet Security Framework v 1.0 | Page 28

Security Framework 5: Managing Risk a balance has been struck in cost versus effectiveness of security controls. Applicable metrics help observe shortcomings continuously so as to create and apply corrective actions in a timely and efficient manner. In turn, the metrics may also change. Effective business decision-making is an important component of industrial security programs. Security risks, as well as the costs and benefits of different defensive postures, should be communicated effectively to business decision makers, especially as they are frequently not familiar with the details of security risks or of countermeasures. 5.1 SECURITY PROGRAMS Security programs encompass a range of technologies and activities essential to a comprehensive, robust security posture. The NIST ‘Framework for Improving Critical Infrastructure Cybersecurity’ for example, has been adopted across many industrial sectors internationally.1 It identifies five essential program activities: • • • • • Identify: Develop the organizational understanding to manage security risk to systems, assets, data and capabilities. Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Detect: Develop and implement appropriate activities to identify the occurrence of a security event. Respond: Develop and implement the appropriate activities to take action regarding a detected security event. Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services impaired due to a security event. In this model, risk management is primarily a business process, while implementation is a technical and operational one. The implementation process provides asset, vulnerability and experience inputs to the risk management process, and the risk management process provides priorities, policy and budget decisions to the implementation process. Risk is not static. The process to assess risk needs to be performed periodically. Changes in risk can come from: • • • • • changes in the co ncept, value, or criticality of the system, changes in the physical composition of the system, changes in the threats to the system, adding assessment activities and addressing the findings from those assessments and adding new features or changing in existing capabilities. System designers frequently have to choose between several options of technical, procedural and operational controls to address attacks. The decision process and metrics used in making the 1 See [NIST-FICIC] and [NIST-FFAQ] IIC:PUB:G4:V1.0:PB:20160926 - 28 -