Industrial Internet Security Framework v 1.0 | Page 33
Security Framework
5: Managing Risk
Systematic approaches develop models of possible consequences and possible attacks. Fault-tree
analysis is a method for understanding how lower-level events might combine into significant
undesirable outcomes. Attack-tree analysis is a method for understanding how attack vectors
exposed in individual IIoT components might be combined to bring about a specific compromise.
Risks due to low-frequency, high-impact events can be difficult for business decision makers to
evaluate. Qualitative risk scores are used widely to evaluate such risks, but qualitative scores can
be difficult to relate to security budgets, return-on-investment and the risk appetite of an
organization.
Some security teams communicate such risks by selecting and communicating a representative
set of attack scenarios with significant adverse consequences that are not defeated with a high
degree of confidence, given the organization’s current security posture. Business decision makers
often find specific, representative attack scenarios easier to understand and evaluate than
abstract qualitative scores. Specific representative attack scenarios allow them to select those
they believe should be better addressed by the security program, and to compare the cost of
upgrading security systems to the cost of the consequences of those specific scenarios.
5.4
ONGOING BUSINESS ATTENTION
Updates to security-related technologies are often overlooked as organizations focus on desired
functionality. Ongoing attention to the key system characteristics of the system as they are used
in operations must be adequately planned for, resourced and managed.
Because attacks change over time, security should be subject to periodic review. The rate of
change in the techniques, maturity and focus of attacks varies across various types of
technologies and the business sectors and verticals they support. The maximum reasonable
interval for these reviews should be selected during the system design process based on the
business model appropriate for the kind of system under construction. Periodic reassessments
and changes may be needed to address issues found during those reviews. More frequent
reviews and updates of security countermeasures may be required based on the emergence of
new threats or regulatory changes on top of the operational updates and product revisions driven
by vendor’s release of software fixes and updates.
The periodic security reviews should follow the same process as that used in the original
conceptualization, design, creation and deployment activities for the system. The original lists of
significant threats to the operations, usability, safety and other business needs should be
revalidated and updated if necessary. Existing countermeasures should be revalidated against
current industry best practices.
With an accurate record of the original design decisions, made to meet the claimed capabilities
and the evidence used to support the architecture, design and technology choices made, this
review will take minimal effort.
IIC:PUB:G4:V1.0:PB:20160926
- 33 -