Industrial Internet Security Framework v 1.0 | Page 33

Security Framework 5: Managing Risk Systematic approaches develop models of possible consequences and possible attacks. Fault-tree analysis is a method for understanding how lower-level events might combine into significant undesirable outcomes. Attack-tree analysis is a method for understanding how attack vectors exposed in individual IIoT components might be combined to bring about a specific compromise. Risks due to low-frequency, high-impact events can be difficult for business decision makers to evaluate. Qualitative risk scores are used widely to evaluate such risks, but qualitative scores can be difficult to relate to security budgets, return-on-investment and the risk appetite of an organization. Some security teams communicate such risks by selecting and communicating a representative set of attack scenarios with significant adverse consequences that are not defeated with a high degree of confidence, given the organization’s current security posture. Business decision makers often find specific, representative attack scenarios easier to understand and evaluate than abstract qualitative scores. Specific representative attack scenarios allow them to select those they believe should be better addressed by the security program, and to compare the cost of upgrading security systems to the cost of the consequences of those specific scenarios. 5.4 ONGOING BUSINESS ATTENTION Updates to security-related technologies are often overlooked as organizations focus on desired functionality. Ongoing attention to the key system characteristics of the system as they are used in operations must be adequately planned for, resourced and managed. Because attacks change over time, security should be subject to periodic review. The rate of change in the techniques, maturity and focus of attacks varies across various types of technologies and the business sectors and verticals they support. The maximum reasonable interval for these reviews should be selected during the system design process based on the business model appropriate for the kind of system under construction. Periodic reassessments and changes may be needed to address issues found during those reviews. More frequent reviews and updates of security countermeasures may be required based on the emergence of new threats or regulatory changes on top of the operational updates and product revisions driven by vendor’s release of software fixes and updates. The periodic security reviews should follow the same process as that used in the original conceptualization, design, creation and deployment activities for the system. The original lists of significant threats to the operations, usability, safety and other business needs should be revalidated and updated if necessary. Existing countermeasures should be revalidated against current industry best practices. With an accurate record of the original design decisions, made to meet the claimed capabilities and the evidence used to support the architecture, design and technology choices made, this review will take minimal effort. IIC:PUB:G4:V1.0:PB:20160926 - 33 -