Industrial Internet Security Framework v 1.0 | Page 28
Security Framework
5: Managing Risk
a balance has been struck in cost versus effectiveness of security controls. Applicable metrics
help observe shortcomings continuously so as to create and apply corrective actions in a timely
and efficient manner. In turn, the metrics may also change.
Effective business decision-making is an important component of industrial security programs.
Security risks, as well as the costs and benefits of different defensive postures, should be
communicated effectively to business decision makers, especially as they are frequently not
familiar with the details of security risks or of countermeasures.
5.1
SECURITY PROGRAMS
Security programs encompass a range of technologies and activities essential to a
comprehensive, robust security posture. The NIST ‘Framework for Improving Critical
Infrastructure Cybersecurity’ for example, has been adopted across many industrial sectors
internationally.1 It identifies five essential program activities:
•
•
•
•
•
Identify: Develop the organizational understanding to manage security risk to systems,
assets, data and capabilities.
Protect: Develop and implement the appropriate safeguards to ensure delivery of critical
infrastructure services.
Detect: Develop and implement appropriate activities to identify the occurrence of a
security event.
Respond: Develop and implement the appropriate activities to take action regarding a
detected security event.
Recover: Develop and implement the appropriate activities to maintain plans for
resilience and to restore any capabilities or services impaired due to a security event.
In this model, risk management is primarily a business process, while implementation is a
technical and operational one. The implementation process provides asset, vulnerability and
experience inputs to the risk management process, and the risk management process provides
priorities, policy and budget decisions to the implementation process.
Risk is not static. The process to assess risk needs to be performed periodically. Changes in risk
can come from:
•
•
•
•
•
changes in the co ncept, value, or criticality of the system,
changes in the physical composition of the system,
changes in the threats to the system,
adding assessment activities and addressing the findings from those assessments and
adding new features or changing in existing capabilities.
System designers frequently have to choose between several options of technical, procedural
and operational controls to address attacks. The decision process and metrics used in making the
1
See [NIST-FICIC] and [NIST-FFAQ]
IIC:PUB:G4:V1.0:PB:20160926
- 28 -